Auditing a device

ABSTRACT

The auditing of a device that includes a physical memory is disclosed. One or more hardware parameters that correspond to a hardware configuration is received. Initialization information is also received. The physical memory is selectively written in accordance with a function. The physical memory is selectively read and at least one result is determined. The result is provided to a verifier.

CROSS REFERENCE TO OTHER APPLICATIONS

This application is a continuation in part of co-pending U.S. patentapplication Ser. No. 12/580,891 entitled AUDITING A DEVICE filed Oct.16, 2009, which is incorporated herein by reference for all purposes,which claims priority to U.S. Provisional Application No. 61/234,604entitled DETECTION OF MALWARE filed Aug. 17, 2009 which incorporatedherein, in its entirety, by reference for all purposes. This applicationalso claims priority to U.S. Provisional Patent Application No.61/311,999 entitled AUDITING A DEVICE filed Mar. 9, 2010 which isincorporated herein by reference for all purposes.

BACKGROUND OF THE INVENTION

Existing techniques for detecting the presence of unauthorized programsare typically resource-intensive. For example, they generally requireconstant updates (e.g., of blacklists) and periodic or continuous scansfor problems. The situation is exacerbated if the device being protectedby such techniques has limited resources, such as limited memory, or bybeing powered by a battery. As one example, a device with limitedresources may not be able to store definitions for detecting all knownunauthorized programs. As another example, scanning for unauthorizedprograms is typically a power-intensive act, and may quickly deplete thebattery of a battery-powered device. In some environments, a centralauthority is used to facilitate the discovery of unauthorized programs.One drawback of this approach is that it typically requires that thedevice being protected compile detailed logs of device activities.Generating such logs is resource-intensive (e.g., requiring largeamounts of disk storage; processing power to assemble the log data; andthe bandwidth to deliver the log data to the central authority) and canalso present privacy problems.

Existing techniques for detecting the presence of unauthorized programsare also generally vulnerable to attempts by such programs to causeincorrect reporting. For example, a rootkit can “listen in” to requestsby applications to the operating system, and may modify these requestsand their responses. If an application requests information about whatprocesses are running, a malicious rootkit application can avoiddetection by removing information about itself from the report that isreturned by the operating system.

Existing techniques for screening against the installation or executionof unauthorized programs are also known to be vulnerable to newinstances of malware that may not immediately be detectable due to alack of information about their structure and functionality. Therefore,and irrespective of the resources available to the device, if theunauthorized program is sufficiently sophisticated and/or has notpreviously been encountered, it can evade detection and cause undetectedharm. And, if the unauthorized program has intentionally been installedby the user to bypass detection (e.g., to facilitate software piracy),traditional techniques may fail to locate the unauthorized program, orany other unauthorized activities.

BRIEF DESCRIPTION OF THE DRAWINGS

Various embodiments of the invention are disclosed in the followingdetailed description and the accompanying drawings.

FIG. 1 illustrates an embodiment of an environment in which deviceauditing is provided.

FIG. 2 illustrates an embodiment of a device.

FIG. 3 illustrates an embodiment of a process for performing a deviceaudit.

FIG. 4 illustrates an embodiment of a process for performing a deviceaudit.

FIG. 5A illustrates a representation of a memory prior to an executionof the process shown in FIG. 3.

FIG. 5B illustrates a representation of a memory while the process shownin FIG. 3 is occurring.

FIG. 6 illustrates an embodiment of a process for performing a deviceaudit.

FIG. 7 illustrates an example of pseudo code for use in conjunction withauditing a device.

FIG. 8 illustrates an example of a process for performing a deviceaudit.

FIG. 9 illustrates an embodiment of an environment in which deviceauditing is provided.

FIG. 10 illustrates an embodiment of a portion of a device.

FIG. 11 illustrates an embodiment of a process for performing a deviceaudit.

FIG. 12 illustrates a portion of memory being read in accordance with astep.

FIG. 13 illustrates an embodiment of an implementation of a process forselectively reading memory.

FIG. 14 illustrates an embodiment of an implementation of a process fortiming a portion of a device audit.

FIG. 15 illustrates an embodiment of a process for performing a deviceaudit.

FIG. 16 illustrates an embodiment of a portion of a process forperforming a device audit.

FIG. 17A illustrates a conceptual view of a physical memory.

FIG. 17B illustrates a conceptual view of a physical memory.

FIG. 17C illustrates a conceptual view of a physical memory.

FIG. 17D illustrates a conceptual view of a physical memory.

FIG. 18 illustrates a conceptual view of a portion of a physical memory.

FIG. 19 illustrates an embodiment of a process for performing a deviceaudit.

FIG. 20 illustrates an embodiment of a process for manipulating thephysical memory of a device.

FIG. 21 illustrates an embodiment of a process for manipulating thephysical memory of a device.

FIG. 22 illustrates an embodiment of a process for unwinding a deviceafter the process shown in FIG. 20 has been performed.

FIG. 23 illustrates an embodiment of a process for unwinding a deviceafter the process shown in FIG. 21 has been performed.

FIG. 24 illustrates an embodiment of a process for manipulating thephysical memory of a device.

FIG. 25 illustrates an embodiment of a process for manipulating thephysical memory of a device.

FIG. 26 illustrates an embodiment of a process for unwinding a deviceafter an audit.

DETAILED DESCRIPTION

The invention can be implemented in numerous ways, including as aprocess; an apparatus; a system; a composition of matter; a computerprogram product embodied on a computer readable storage medium; and/or aprocessor, such as a processor configured to execute instructions storedon and/or provided by a memory coupled to the processor. In thisspecification, these implementations, or any other form that theinvention may take, may be referred to as techniques. In general, theorder of the steps of disclosed processes may be altered within thescope of the invention. Unless stated otherwise, a component such as aprocessor or a memory described as being configured to perform a taskmay be implemented as a general component that is temporarily configuredto perform the task at a given time or a specific component that ismanufactured to perform the task. As used herein, the term ‘processor’refers to one or more devices, circuits, and/or processing coresconfigured to process data, such as computer program instructions.

A detailed description of one or more embodiments of the invention isprovided below along with accompanying figures that illustrate theprinciples of the invention. The invention is described in connectionwith such embodiments, but the invention is not limited to anyembodiment. The scope of the invention is limited only by the claims andthe invention encompasses numerous alternatives, modifications andequivalents. Numerous specific details are set forth in the followingdescription in order to provide a thorough understanding of theinvention. These details are provided for the purpose of example and theinvention may be practiced according to the claims without some or allof these specific details. For the purpose of clarity, technicalmaterial that is known in the technical fields related to the inventionhas not been described in detail so that the invention is notunnecessarily obscured.

FIG. 1 illustrates an embodiment of an environment in which deviceauditing is provided. In the example shown, device 102 is a cellulartelephone. Device 102 is in communication (e.g. via network 104) withverifier 106. In FIG. 1, device 102 communicates with verifier 106 via a3 G network. Verifier 106 is under the control of a carrier, such as aprovider of telephony service to device 102. Verifier 106 includes adatabase of hardware configuration information, including an entrycorresponding to device 102 and the amount of RAM included on device102.

As will be explained in more detail below, device 102 can be auditedsuch that any evasive programs (e.g., malware) present on the device canbe detected and/or removed. In some embodiments this is accomplishedthrough the undertaking of a sequence of modifications to physicalmemory included on device 102. Results associated with the performanceof the memory modifications are verified by verifier 106. Once device102 is determined to be free of influence of such evasive programs,additional scans can be performed, which are also described in moredetail below. For example, in addition to detecting malware (e.g.,software installed without a user's knowledge and/or consent), thetechniques described herein can detect “jailbreaking” actions (e.g.,privilege escalations) taken by the user, such as to circumvent digitalrights management installed by a carrier or hardware manufacturer.

A variety of devices can be used in conjunction with the techniquesdescribed herein. For example, in some embodiments device 102 is a videogame console. The video game console is configured to communicate with averifier under the control of the manufacturer of the game console viathe Internet (104). If the owner of device 102 makes an unauthorizedchange to device 102 (e.g., by using a modification chip), verifier 106will be able to detect the modification accordingly.

Other examples of devices that can be used in conjunction with thetechniques described herein include desktop computers, notebookcomputers, netbooks, personal digital assistants, video playback devices(e.g. televisions, DVD players, portable video players), routers, accesspoints, settop boxes, medical devices, and virtually any other devicethat includes a processor and a memory.

In various embodiments, verifier 106 is controlled by a user of device102, instead of by a separate entity. For example, a desktop computerowned by the user of device 102 can be configured to provideverification services to device 102. In that scenario, device 102 can beconfigured to communicate with the verifier via a local network. Device102 can also be configured to communicate with verifier 106 directly(e.g., via a dedicated cable) and network 104 is omitted as applicable.

In some embodiments a verifier is collocated with or otherwise directlycoupled to device 102. For example, a subscriber identity module (“SIM”)card inserted into a cellular phone can be configured to provide thefunctionality of verifier 106 to the cellular phone. As another example,the functionality of verifier 106 can be integrated into a power cordused to charge a cellular phone. In such embodiments, an externalverifier can either be omitted, or can be used in addition to theverification services provided by the collocated/coupled verifier. Asone example, suppose device 102 is a personal video player withintegrated WiFi capabilities. A power cord used to charge the device canbe configured to provide verification services to the device each timeit is charged. In addition, if the WiFi radio is active, the device canbe configured to communicate periodically with a verifier provided bythe manufacturer of the device. As another example, a verifier 106 canbe included on a USB device that is periodically inserted by a user intoa laptop 102. In addition, whenever a user of laptop 102 attempts toconduct banking transactions with an online bank, the bank can alsoprovide verification services to the laptop 102 prior to granting accessto the user's account. As yet another example, a network operator orservice provider can require a user to have his or her machine auditedbefore he or she is allowed on the network or allowed to access aservice. User can also initiate an audit, for example, after realizingthat he or she has been exposed to a potentially risky situation. Oneway a user can initiate an audit is to select a menu option on thedevice. Another example way is for the user to request an audit fromverifier 106 (e.g., by submitting an online request through a web form).

FIG. 2 illustrates an embodiment of a device. In the example shown,device 102 includes a processor 202, a first memory 204, a second memory206, and a communications interface 208. As one example, device 102includes a 528 Mhz ARM processor (202), 128 MB of RAM (204), a micro SDcard slot into which a user has inserted a 1 GB micro SD card (206), anda 3 G modem (208). Memory 204 is also referred to herein as “fast”memory. Memory 206 is also referred to herein as “slow” memory. However,memories 204 and 206 need not be different speeds. Other components mayalso be included in device 102, such as a GPS receiver (not shown).Elements, such as second memory 206, may also be omitted as applicable.One may refer to RAM that can contain active programs as fast, andconsider RAM that can only store data as slow.

Using the auditing techniques described herein, the absence of activeprocesses in fast memory can be verified. And, after that verificationhas been completed, all memory (e.g., both fast and slow) can be scannedto identify, classify, report and potentially modify the contents of thefast and slow memory, or portions thereof. The distinction between fastand slow memory can be made in a variety ways. For example, on a devicewith RAM, flash memory and a hard drive, it is possible to treat onlythe RAM as fast memory and flash memory and the hard drive as slowmemory. It is also possible to treat both the RAM and the flash memoriesas fast memory and the hard drive as slow memory. It is also possible toconsider all memory physically located on a given device as being fast,and all external memory accessible (or potentially accessible) by thedevice as slow. The turnaround time to communicate to externalcomponents will cause such external accesses to be slower, irrespectiveof the type and actual local access speed of the external memory.Depending of what types of memory are treated as fast vs. slow, theselection of parameters would be done accordingly.

As will be described in more detail below, the existence of unauthorizedmodifications to device 102 can be detected by configuring device 102 torun a series of modifications to memory 204 and examining the results.If for example, the time it takes to perform the modifications exceeds atolerance of a predetermined length of time, or if a result determinedin conjunction with the modifications does not match an expected result,the presence of an evasive program may be indicated. In variousembodiments, the memory modifications are performed across all memory ona device (e.g. both memory 204 and memory 206), instead of being runonly on fast memory such as memory 204.

FIG. 3 illustrates an embodiment of a process for performing a deviceaudit. In various embodiments, the process shown in FIG. 3 is performedby device 102. The process shown in FIG. 3 can be initiated in a varietyof ways. For example, the process can be initiated every time the usercharges the device (e.g., by configuring the device to initiate theprocess when it detects a power supply). The process can also beinitiated in response to the occurrence of a particularly large orunusual transaction, in response to a concern that the user is at risk(e.g., in response to the carrier receiving notification that a newvulnerability has been released by a nefarious individual), in responseto the elapsing of a certain amount of time, etc. Additional examples ofevents that can trigger the initiation of the process shown in FIG. 3include an attempt by the user of device 102 to make a payment orotherwise engage in a financial transaction, an authentication attempt(e.g., the user of the device attempting to access to a bank account),and an access request being performed (e.g., a request for the downloadof a movie to the device).

The process begins at 302 when one or more hardware parameters thatcorrespond to a hardware configuration is received. Example hardwareparameters include the amount and the speed of fast memory 204. Forexample, in the case of the device shown in FIG. 2, the hardwareparameters would include “amount=128M” and “speed=300 Mhz.” Additionalparameters that can be used include the number of cores, the type ofbus, etc.

The hardware parameters can be received in a variety of ways. As oneexample, the SIM of a cellular phone can be configured to detect theamount and speed of installed memory. As another example, if aproprietary cable is used to connect device 102 to a power source (or toa computer or other device), the parameters may be known (and thus“received”) by virtue of the cable only working in conjunction with adevice having a specific amount and speed of memory. As yet anotherexample, a serial number of a device may indicate the amount and speedof fast memory 204 installed on a device. In various embodiments, theuser (or a representative thereof) is requested to input memoryparameters in a web form or a configuration file. Assumptions can alsobe made about the likely memory configuration of the device and abenchmarking program can be run to confirm whether the assumption islikely to be correct.

At 304, a sequence of modifications to a physical memory is performed.Examples of ways in which such modifications can be performed aredescribed in more detail below. In some embodiments the sequence ofmodifications to be performed is determined by the verifier. The set ofmodifications to be made can be provided to the device in a variety ofways. For example, the sequence can be constructed on the device basedon a seed value. The sequence can be pre-loaded onto the device at timeof manufacture, at time of delivery to the supplier or carrier, or atthe time of purchase. It can also be loaded by user choice or by aservice provider at any time after purchase (e.g., as an over-the-updateor as a firmware update), or when needed to perform an audit. Theparameterization can be performed by the manufacturer or supplier orcarrier, given known specifications. It can also be performed through alookup, e.g., of serial number, by a user or service provider. Theparameters can be associated with the model or device name. If thedevice is reconfigured, e.g., by replacement or addition of components,then these new components can carry information about the new oradditional parameterization. The components can also carry the entireset of instructions, instead of just the parameters. Alternatively, theserial numbers, names, or types of components can indicate the neededchange in parameters. If it is believed that the client device is secureat the time of installation of the algorithm or a new component, thenthe client machine can also inquire what components are installed (as istypically done as a system is booted up), and set the parametersaccordingly.

In various embodiments, device manufacturers offer to preloadnon-activated auditing software at no cost, and later request payment toactivate auditing services (and/or the additional scanning servicesdescribed in more detail below. The auditing software can subsequentlybe activated by carriers, on request by end users or service providers.The carrier collects payment for the activation and optionally forwardsportions of the payment to the handset manufacturer, providers ofauditing software, providers of additional scanning software (e.g.,antivirus detection services), and any other parties involved in thetransaction.

At 306, one or more results of the portion of the process performed at304 are reported to a verifier. In some embodiments results are providedto proxy 906, which timestamps the results and provides them to theverifier. As will be described in conjunction with FIG. 5, in someembodiments multiple iterations of modifications to the memory andcommunications with the verifier are made, and the processes shown inFIGS. 3 and 4 are adapted accordingly.

FIG. 4 illustrates an embodiment of a process for performing a deviceaudit. In various embodiments, the process shown in FIG. 4 is performedby verifier 106. As explained above, in some embodiments the processshown in FIG. 4 is performed by an entity separate from device 102 (suchas on a verifier controlled by a carrier). In other embodiments theprocess is performed by a verifier located on or otherwise physicallycoupled to device 102.

The process begins at 402 when results are received. For example, whendevice 102 reports results at 306, those results are received by averifier at 402.

At 404, a determination is made as to whether the results received at404 indicate that an expected sequence of physical modifications wasmade. Verifier 106 is configured with information such as the amount oftime the execution of a sequence of memory modifications should take ondevice 106 (assuming no authorized modifications have been made). Insome embodiments verifier 106 is also be configured to store additionalinformation, such as seed values and the results of computationsperformed by device 102.

If the expected sequence of physical memory modifications is determinedto have been made (e.g., device 106 performed the sequence of memorymodifications), it is concluded (406) that no unauthorized modificationshave been made to the device. And, any evasive processes that mightpreviously have been active on device 102 have been neutralized. If theexpected sequence of physical memory modifications is determined to havenot been made (e.g., because the amount of time to perform the sequenceis off, or computed results are incorrect), it is concluded (406) thatan unauthorized modification has been made to the device. (e.g., that anevasive process is present on the device and is attempting to avoiddetection). In various embodiments, error correcting codes are used toavoid errors due to network noise. Message-authentication codes andother authentication techniques can be used to avoid active tamperingwith contents. Encryption techniques can be used to obfuscate contentsand make it impossible for eavesdroppers to determine the plaintextmessages being transmitted.

FIG. 5A illustrates a representation of a memory prior to an executionof the process shown in FIG. 3. In the example shown, kernel 502,authorized program 504, unauthorized program (e.g., a malware agent)508, and an auditor program 506 are loaded in RAM. Typically, in orderto remain resident on a device, an evasive program needs to do one oftwo things. It must either remain active in RAM (or swap space), or itmust modify a legitimate program, data, or configuration of the deviceto allow the malware agent to gain control after a scan has beenperformed. As will be explained in more detail below, using thetechniques described herein, the presence of the malware agent can bedetected, irrespective of the techniques it employs to evade detection.In addition, using the techniques described herein, the presence of themalware agent can be detected even if auditor 506 is loaded aftermalware agent 504.

FIG. 5B illustrates a representation of a memory while the process shownin FIG. 3 is occurring. As will be explained in more detail below,auditor 506 is configured to clear memory RAM (and any swap space)except for the space used by auditor 506. In various embodiments, aminimalistic set of other services is also permitted to occupy RAM. Forexample, if device 102 supports 3 G communications, the area of RAMoccupied by a 3 G driver/module is not cleared, so that auditor 506 canuse the 3 G modem to communicate with verifier 106. As another example,in some embodiments a microkernel is permitted to occupy a portion ofRAM while auditor 506 clears the remainder of the RAM.

FIG. 6 illustrates an embodiment of a process for auditing a device. Theprocess begins at 602 when an auditor process running on device such asdevice 102 clears all portions of memory 204 (and any swap space) thatis not claimed for use by the auditor. In some embodiments, thisincludes unloading the kernel, various drivers, and all other processes.In various embodiments, the unclaimed memory space is overwritten by asequence instead of being cleared (e.g., with zeros). One examplesequence is a pseudo-random sequence that is combined with the originalmemory contents, such as by using the XOR operation. This allows theunclaimed memory space to later be reconstituted by the repeatedcombination with a pseudo-random sequence that complements or equals thepreviously used pseudo-random sequence. The unclaimed memory space canalso be overwritten with contents in a way that clears it, but whichdoes not correspond to the typical erasing operation of the device. Forexample, it is possible to clear unclaimed memory by writing a sequenceof 01010101 to it, or any other appropriate sequence.

In some embodiments, the auditor code comprises two components: a loaderand a variable algorithm segment. The task of the loader is to loadalgorithm segments from non-RAM storage (e.g., something other thanmemory 204), and hand over control to the loaded algorithm segment.After an algorithm segment has completed, it hands back the control tothe loader.

At 604, contents of memory 204 are reported to verifier 106. In someembodiments the entire contents are reported. In other embodiments, onlydescriptions of changes since the last audit are communicated.

At 606, the device receives a cryptographic seed from the verifier. Theseed is expanded to a pseudorandom string and the string is written toRAM. An example technique for writing a string to RAM in accordance withportion 606 of process 600 is provided below.

At 608, the device receives a cryptographic key from the verifier.

At 610, the device uses the received key to compute a keyed hash of theentire contents of the device's RAM.

At 612, the device reports the resulting value to the verifier. Verifier106 evaluates the results, e.g., according to the process shown in FIG.4.

In various embodiments, device 102 reports state information fromcomputations at 606 and 610 at time intervals set by verifier 106. Theuse of such intervals provides assurance that the computations performedby device 102 are being performed within memory 204 (and not, e.g. aportion of memory 206).

Device 102 obtains updates, from verifier 106, of the seed andrespective key on an as-needed basis. The use of updates providesassurance that device 102 is not outsourcing computation to an externalfast resource. For example, in order to outsource the computation, anevasive program would have to forward the seed and key updates to theexternal device, which would introduce a measurable delay.

Verifier 106 verifies that both the final function value and partialresults are correct and are reported by device 102 to the verifierwithin acceptable time bounds. An example technique for evaluating thetime it takes an auditor to perform its tasks is provided below. Asmentioned above, in some embodiments verifier 106 is external to device102 and is operated by a party other than the owner of the device. Inother embodiments, verifier 106 is under the control of the user ofdevice 102.

After the process shown in FIG. 6 has been completed, auditor 506 canrestore the contents of the device, whether fully or partially, andreturn control to previously active processes or to a process performingfurther scans of memory contents. The contents of the fast memory can berestored if they were swapped out to slow memory prior to the executionof the timed computation, or if the original contents were combined witha string, the latter allowing a similar combination to be performed,thereby recovering the previous state. It is also possible to restartthe device by loading a “starting” state. It is further possible tofirst hand over control to a process that scans, reviews, reports andmodifies the contents of memory, or any subset of these operations(described in more detail below). The reporting can be presented toverifier 106, or to a third party, such as one in charge of managing theprocessing of memory contents. In the latter case, verifier 106 may bein charge of assuring that there is no active malicious process, and thesecond verifier could be in charge of processing the memory of thedevice to determine whether it complies with a particular policy, whichmay be related to malware detection, digital rights management, oranother policy identifying what device memory contents are desirable.

Example Adversarial Strategies

In order for an evasive program to avoid being detected, e.g., duringportion 604 of the process shown in FIG. 6, it must be active in RAM,either as a unique process (504) or as part of a corrupted version ofauditor 506. The following are six example ways in which an evasiveprogram such as malware agent 504 can attempt to remain active:

Strategy 1: Outsource Storage.

The malware agent can stay active in RAM and attempt to remainundetected by causing auditor 106 to not clear the appropriate space(e.g., at 602) and rely on non-RAM storage or external storage to storethe corresponding portion of the pseudo-random string generated at 606.The computation at 610 would then be modified to use the outsourcedstorage instead of the space where the malware agent resides.

Strategy 2: Compute Missing Data.

Instead of outsourcing storage of portions of the pseudo-random string,the malware agent can store a modified representation of the string(e.g., a compressed version, or a version that is missing portions), andreconstitute relevant portions of the string as they are needed duringthe computation of the keyed hash at 610. Since the malware agent hasthe seed from which the pseudo-random string is generated, it can usethis—or later states of the pseudo-random generator—to regeneraterequired portions of data.

Strategy 3: Outsource Computation.

The malware agent can forward relevant data to an external device(assuming the necessary communications infrastructure, such as a WiFiconnection is still enabled). The external device receives data fromdevice 102 and computes the values needed to report to verifier 106,feeding these values to the malware agent on device 102.

Strategy 4: Modify Detection Code.

The malware agent can attempt to replace the code of auditor 506 withmodified code. This replacement code may be designed to suppress reportsof compromised memory contents, or contain a hook for malware code to beloaded after the audit completes. The malware agent can attempt toincorporate such changes to auditor 506 without taking up more space byswapping out or compressing portions of the auditor code and loading orunpacking it again as it is needed.

Filling Fast Memory

This section describes an example technique that can be used inconjunction with portion 606 of the process shown in FIG. 6.

FIG. 7 illustrates an example of pseudo code for use in conjunction withauditing a device. In the example shown, the subroutine get_permutationreturns a vector indicating a random permutation of number_blocks items,ranging from 0 to number_blocks−1, where number_blocks is the number ofportions of size equal to a flash block that the RAM comprises, minusthose needed by the auditor. The subroutine next_string_chunk returns apseudo-randomly generated chunk of bits; the term chunk is used to referto the amount of data that can be sent on the memory bus. As oneexample, for an Android G1 phone, a chunk is 32 bits.

Both get_permutation and next_string_chunk use the most recentlyprovided seed as input. The pseudo-random string can be computed assegment_(i)←hash(segment_(i-1) i.e., in a way that cannot be computedusing random access. One example is a function based on iteratedapplication of the hash function, given the non-homomorphic propertiesof hash functions. A variety of hash functions may be used. One exampleis MD6 in 512-bit mode.

The constant rounds is the number of times a pseudo-random chunk isXORed into the contents of a cell, using the function modify_memory. Thechoice of rounds controls the amount of work an adversary has to performto carry out the second adversarial strategy (computing missing data),while also incurring an increasing cost to the honest execution of thealgorithm for large values. In the example shown, rounds=2, whichresults in a noticeably greater cost to the adversary than rounds=1,since the value of each cell will come to depend on two other cells.This can confound memory management strategies of an adversary. In theexample shown, chunks_per_block is the number of chunks contained in aflash block, equaling 32768 (=128 kB/32 bits) for an example G1 phone,while number_blocks=1024 (=128 MB/128 kB).

The function modify_memory(pos, string) XORs the contents of positionpos with the value string, where pos=0 describes the first chunk of RAMto be operated on, and pos=number_blocks×chunks_per_block−1 is the lastchunk.

The memory access structure described in conjunction with FIG. 7 causesaccesses to individual pages of randomly ordered blocks, if forced touse flash (e.g., memory 206) instead of RAM (204). This will cause theflash to be cleared with an overwhelming probability, and thepseudo-random access order prevents the adversary from scheduling thememory accesses to avoid this drawback. The cost of a flash-boundcomputation in comparison to the RAM-bound alternative available to thehonest execution of the algorithm is noticeably more time consuming.

In some embodiments, one hash function application is used to generateseveral invocations of next_string_chunk. This reduces the computationalburden associated with the auditing process, which emphasizes thecontribution of the memory access in terms of the time to perform thetask.

In various embodiments the input to the hash function is a constantnumber of previous outputs; this complicates storage for a malware agentwishing to reconstitute the state of a given portion of thepseudo-random generator, and is thus useful to further frustrate anyattempt to use strategy 2 (compute missing data).

Performing Timing

This section describes an example technique that can be used for timingthe execution of auditing tasks. For example, in some embodiments thetechnique is employed by verifier 106 as described in conjunction withthe text corresponding to FIG. 6.

Verifier 106 is configured to time the execution of portions 606 and 610of the process shown in FIG. 6, e.g., to identify attempts to outsourcestorage; compute missing data; and outsource computation.

In some embodiments verifier 106 is configured to obtain stateinformation from device 102 at frequent intervals (e.g., that are set byverifier 106). One example of state information is the memory contentsof the memory chunk that was last updated, which vouches for that device102 has reached this stage of the computation. Verifier 106 sends updaterequests to device 102 at regular intervals. In some embodiments theupdate requests correspond to updates of the state of the pseudo-randomgenerator used to compute the output of the subroutinenext_string_chunk. If the output of the subroutine next_string_chunk isgenerated by selecting an unused portion from an already generatedpseudo-random string, the string can be cleared at the same time, thusforcing the new seed to affect the state immediately.

An evasive program employing adversarial strategy 3 (i.e., outsourcingcomputation), must transmit the update of the pseudo-random string tothe external device that performs the computation, after which theexternal device has to compute the resulting next value to be reportedby device 102 to verifier 106 and transmit this to the evasive program.This incurs a round-trip delay. If the round-trip delay exceeds the timebetween timing checkpoints, the cheating will be detected. Here, anassumption is made that seeds and keys, along with other statusinformation, is communicated securely between the client device and theverifier. Various cryptographic techniques can be used to achieve this.

In various embodiments, the device-specific time between checkpoints ischosen so that there is not enough time to outsource computation usingcommunications equipment (e.g., WiFi) included on device 102,pessimistically assuming congestion-free environments.

The execution time of modify_memory is determined by the parameterselections described above and what hash function to use to computenext_string_chunk. For example, the MD6 hash function can be configuredto different output sizes, from 224 to 512 bits. As explained above, insome embodiments a 512-bit version is used. The time per invocation ofmodify_memory is noticeably less than the time between checkpointsdetermined above.

Examples of Detecting Various Evasive Programs

The following section provides examples of how evasive programsemploying the various strategies described above can be detected usingthe techniques described herein.

Defending Against Adversarial Strategy 1—Outsource Storage.

Assume an empty SD card has been inserted into device 102. Thecorresponding write speed could reach up to 5 MB/s. The size of a blockprocessed by modify_memory as described above is chosen, in thisexample, to be 128 kB. The time to write the data to the SD card wouldbe 25 ms. In comparison, suppose RAM on device 102 has a write speed of100 MB/s. The corresponding write time would be 1.25 ms. The additionaldelay can be readily detected. And, if multiple accesses to the SD cardare made between two checkpoints, the additional delay will be even morereadily detected.

Defending Against Adversarial Strategy 2—Compute Missing Data.

As mentioned above, the pseudo-random string can be computed in a waythat cannot be computed using random access. To compute the value of acertain output, the corresponding input needs to be computed from storeddata. Since rounds>1, the data stored in RAM is not this needed state,but a combination of the states of the two or more rounds. The stateneeds to be explicitly stored (in RAM) by the malware agent, as part ofits code space, and the needed state computed from this. This forces themalware agent to compute at least (and in fact, much more) thanrounds×number_blocks×chunks_per_block hash operations during theexecution of portion 610 of the process shown in FIG. 6, in addition tothe computation it needs to perform to “legitimate” computation. For theselected parameter choices, that is more than 100 million hashoperations. Given an approximate time of 10 is for computing a hashfunction invocation, this is about 1000 s, which is approximately 3orders of magnitude more than the expected and can be detectedaccordingly.

A sample proof corresponding to the defense against strategy 2 will nowbe provided. Assume that an evasive program resides in memory 204 andtakes up at least portions of some c 32-bit chunks for itself and itsvariables. A pessimistic assumption can be made that all of this spacecan effectively be used to store variables, which is not possible, butwhich gives a lower bound on the amount of work that the malware has toperform to remain undetected. In reality, its effort is greater as notall c chunks can be used for storage, but some are needed to store itscode.

For each one of the c hits to RAM chunks that do not contain the valuesneeded to compute the function, the malware agent has to compute theexpected contents. It is assumed in this example that the originalcontents—before the RAM-filling was performed—were zero. If this is notso, the effort of the malware agent would be greater, so making thisassumption establishes a lower bound on the effort of the malware agent.To compute the expected updates to this cell that would have beenperformed by the RAM-filling algorithm, the malware agent needs tocompute the values for all the rounds passes on the memory chunk inquestion. The values XORed in to memory come from a pseudo-randomsequence. And, it is only possible to reconstitute the state of thechain in the cell where it is missing by computing the valuenext_string_chunk from a value that is stored by the malware agent inpart of the c chunks of storage. It is assumed that the variables arestored solely in RAM, or the malware agent needs to also succeed withstrategy 1 (outsource storage).

As explained above, the pseudo-random generator cannot be computed usinga random-access approach. It is the case that L=16 chunks is needed tostore a state, given a chunk size of 32 bits and a state size (=MD6output size) of 512 bits. The malware agent has to recompute thesequence of hash function invocations from a position of RAM associatedwith this state (which does not have to be where the malware agentstored this state.)

Given the random permutation over cells during the writing of the memory(the order which cannot be anticipated by the malware agent), theexpected length of the run to the string position corresponding to thestored state is at least rounds×n/(c/L), wheren=number_blocks×chunks_per_block corresponds to the number of chunksthat RAM consist of, rounds×n is the length of the pseudo-random string,and where c/L are the number of pseudo-random states stored by themalware agent. Thus, for each hit to a “bad” cell, the malware agent hasto perform an expected rounds×n×L/c invocations of next_string_chunk,which corresponds to rounds×n×/c. There are c such hits, not countinghits to “bad” cells that occur as the malware agent attempts to computeone of the expected states. Therefore, the malware agent has to performat least rounds×n hash operations to compute the contents of the c badblocks from the stored contents. The approximate time to do this(according to an example implementation) is at least between100,000-1,000,000 times slower than the legitimate client whichindicates that any attempt to compute missing data will be detected.

If the computation of the chain causes the access to a cell that hasbeen used to store a value for another pass of the computation, thenthis causes another hit to be incurred. It would happen with anapproximate probability

(c−c/rounds)/c×c/number_blocks=(c−c/number_blocks)/number_blocks≈c/number_blocksfor each memory access, and therefore, with approximate probability

1−(1−c/number_blocks)^(number) ^(—) ^(blockssrounds) ² ^(/c) for a givenfirst bad cell hit, as described above. A rough approximation of thisquantity is 1−e^(−rounds) ² . For rounds=2, this is more than 98%probability. This additional cost would increase with increasing valuesof c. An adversary would therefore do best to make c small.

In the following, assume that the adversary uses c=L=16 cells only, all16 to store one value. With this configuration, the adversary would failto compute the value (unless using external memory) in those situationswhere the chain leads in a direction that does not make it possible tocompute the value corresponding to the “programcell” from the value inthe “storage cell”. For rounds=2, this failure occurs with probability75%. In the remaining 25% of the cases, the adversary would simply beslowed down. (To always succeed to compute the value, the adversaryneeds to store at least round=2 values, each 512 bits long.

Defending Against Adversarial Strategy 3—Outsource Computation.

In some embodiments the time between checkpoints is chosen so that thereis no time to outsource computation using the communications equipmenton the device. The time between checkpoints can be chosen by verifier106 in a way that makes this immediately detectable. A strategyinvolving outsourcing of computation will fail, as the roundtrip has tobe completed between two checkpoints for the right value to be providedby the adversary. This is independent of the speed of communicationbetween the client device and the verifying party.

Defending Against Adversarial Strategy 4—Modify Detection Code.

Suppose unauthorized program 508 corrupts the execution of some steps(e.g., as described in conjunction with FIG. 6), then willingly loadslegitimate code and removes itself. Such an adversary could potentiallycorrupt portions 602 and 604 of the process, but will not be able tocorrupt portion 606. Specifically, it needs to corrupt portion 602 ofthe process (clearing swap space and RAM) in order to maintain active.It can then cause a misreporting of state at 604. However, this will bedetected when the keyed hash of the memory contents are computed (610).This is both due to the assumed collision-freeness of the hash functionused, and the fact that the key is not disclosed to the device until608. Portion 608 cannot be corrupted without being active during 606,which in turn would cause detection, as described above. And, theevasive program will be unable to compute the correct values to bereported at 612 without executing portion 606 of the process shown inFIG. 6.

Combinations of the four adversarial strategies will also fail, sinceeach of them will be detected and combinations of them do not change theunderlying device-specific limitations.

Additional Processing

FIG. 8 illustrates an example of a process for performing a deviceaudit. In various embodiments, the auditing processes described aboveform one phase (802) of a two (or more) phase process. Once thetechniques described above have been employed with respect to a devicesuch as device 102, an assumption can be made that no evasive softwareis active in the RAM of the device. Arbitrary additional processing canthen be performed on the device (804). Examples of additional processingthat can be performed are described below.

Example Malware

After the processing of 802 is performed, at 804, device 102 performstraditional antivirus software to identify known bad software, such asmay be stored in memory 206. At 804 device 102 can also be configured toreport the entire contents of memory 206 or portions of memory toverifier 106 or to another device.

Example Jailbreaking

After the processing of 802 is performed, at 804 device 102 determineswhether its operating system loader has a particular hash, and/orotherwise determines whether the operating system loader has beenaltered away from a desirable state.

Example Phone Unlocking

After the processing of 802 is performed, at 804 device 102 determineswhether its operating system loader has been altered and also determineswhether any information associated with a service provider has beenaltered.

Example Software Piracy

After the processing of 802 is performed, at 804 device 102 determineswhether any software included in memory 206 has been modified from anexpected configuration, ascertains any associated serial numbers for thesoftware, and/or otherwise determines whether the included software isbeing used in an unauthorized/unlicensed manner. In some embodimentsdevice 102 reports the contents of memory 206 or portions thereof toverifier 106.

Example Media Piracy

Suppose that media files (e.g., music, video, or image files) arecustomized using watermarks during distribution, and that thesewatermarks are cryptographically authenticated, e.g., using a MAC ordigital signature. At 804 it can be determined which files present ondevice 102 have legitimate watermarks, and whether these contain validauthenticators. The determination can be made either locally to device102 or centrally (e.g., on verifier 106).

In various embodiments, applications (such as a music player installedon device 102) record usage and other data (forming a log of activity)and associate the information with the appropriate media (e.g., songfile). The logs can be read by the verifier 106 at 804.

Example Chains of Custody/Usage Logs

Suppose an application (or data file) has an associated log file that isused to record transactions. One example is a log file that records theoccurrence of financial transactions, including stored-valueinformation. The legitimacy of changes made to the log file can beverified as follows. First, the processing of 802 is performed. Then, at804 a determination can made (e.g., by comparing hashes of programimages) as to whether or not the application (or data file) has beenaltered, and thus, whether the log file is genuine.

One approach to the processing performed at 804 in this example is asfollows: First, memory 206 is scanned and a list of applications anddata files associated with the applications is created. Next, a list ofdescriptors for the applications and data files is determined. Anexample of a descriptor is a hash of the file, along with the name andtype of file, and an identifier stating what string sequence(s) itmatched. Next, a second list of any descriptions of applications or datathat is not already reported on in the first list is made. Thedescription created here may include all or parts of the code for anapplication, or of a description of what type of input files itprocesses and output files it produces. The second list is transmittedto an external party, such as verifier 106, where it is verified. Thesecond list can also be processed locally using any policy obtained froma policy verification server.

The outcome of the verification can be used to affect the permissions tothe applications and data, and can be used to control how externalservers interact with the device, including whether it is granted accessto network resources (such as the Internet, 3 G networks, corporatenetworks, etc.). As another example, the software allowed to run on thedevice can be restricted, and notify the user of lack of compliance,attempt to remove or repair or otherwise modify files, etc.

Example Parental Control Filters and Other Monitoring Features

After the processing of 802 is performed, in various embodiments,additional middleware is installed that can be configured to log(and/orblock) various events associated with the device. Examples include:

(a) determining what photos was generated on the device and latertransmitted out (e.g., to prevent “sexting”).

(b) determining (e.g., based on device activity and GPS changes) whetherthe device was used (e.g., for texting or watching video clips) whiletravelling at a speed greater than 20 miles per hour.

(c) determining (e.g., based on installation activity) whetheralternative applications (such as a second instant messaging program inaddition to a default program) has been installed, and then creating alog file for the alternative application.

(d) determining (e.g., based on browser history information) what URLs auser has visited including which URLs were manually navigated to andwhich URLs were referred to in other HTML documents that were accessed.One benefit of this logging is to identify whether a person is likely tohave fallen victim to phishing; has visited a web site known todistribute unwanted content, including malware; and whether the deviceis likely to be involved in click-fraud. Such abuse is possible toachieve without infection of the device itself, e.g., by use ofJavaScript, cascading style sheets, and/or other related scriptinglanguages.

Example Additional Applications

In addition to the above examples, yet more uses of the techniquesdescribed herein are possible. For example, device auditing can be usedin vehicular black-boxes for metering usage, purposes of insurance,tariffs, taxes, tolls, etc.—both to identify malware and intentionaltampering.

The device auditing technique can be included as a component in otherapplications, allowing these applications to temporarily suspendthemselves to perform the scan, and later be given control again, in theknown clean state.

As yet another example, the techniques can be used in medical devices,to determine that they are free from infection, correctly configured andmaintained, and in order to audit usage in special cases when it becomesvaluable to know who had access to data and equipment. The devices inquestion may log usage information at all time, in a way that preloadedapplication cannot interfere with; the audit process would include amemory-printing scan to assert that the preloaded applications are stillin a good state, and that no conflicting applications or configurationsare present.

Finally, the techniques can be used for detection of malware insituations where there is no need to remediate, or where that is not theprimary goal. One such context is for online games, to detect theabsence of modules to cheat in the games.

Preserving Privacy

In some embodiments descriptions of all state (e.g., the contents ofmemory 204) is communicated to the verifier 106. However, some datashould preferably not be transferred off device 102, such as privatekeys and non-executable private data. In the following section,techniques preserving the privacy of such data are described.

Assume that a first random number is called x, and that it is selectedfrom some space of possible values, 1 . . . max_(x). It is possible thatx encodes malware apart from providing an input to the auditing processfor which it was intented. A legitimate program computes a one-wayfunction value y from the input data x and some system parameters, whichis called (g₁, n₁). One example way of doing this is by computing y=g₁^(x) modulo n₁, where g₁ generates a large subgroup of G_(n1).

Let the program then compute a second one-way function value z from thevalue y and some system parameters, which is called (g₂, n₂). Oneexample way of doing this is by computing z=g₂ ^(y) modulo n2, where g₂generates a large subgroup of G_(n2).

Next, it is assumed that the client machine proves (e.g., using azero-knowledge proof) that there is a value x such that z=g₂ ^(g) ¹ ^(x)^(modulo n) ¹ modulo n2, where (z, g₁, g₂, n₁, n₂) are known by theverifier, but (z,x) are not. The device (the “prover”) then erases thevalue x but stores (y,z) and the parameters (g₁, g₂, n₁, n₂).

At later times, the device has to prove that the value y that it stores,but which is secret, corresponds to the value z. (Here, z can be storedon device 102, but can also be stored by verifier 106.) One exampleproof that can be used is a zero-knowledge proof.

If the second proof concludes and verifier 106 accepts it, then theverifier knows that the unknown value z that the client stores is of aformat that cannot be used to hide a significant amount of data of valueto a malware agent.

Here, z can be used to encrypt some other data, which is referred to asm, and whose ciphertext is referred to as c. Thus, c=E_(z)(m) for anencryption algorithm E. Assuming symmetric encryption, m=D_(z)(c) forsome decryption algorithm D. The device contents can be verified, but mremains unknown by the party receiving c. This party would not know z,but only that z is of some acceptable form that cannot hide largeamounts of malware data. Since the auditing process described hereinallows the verifier party to be assured that only legitimate programsexist in the RAM of the client device, it can be known that theprograms—using the secret value z—can access m, given c. However, theverifier cannot.

Since it is known that the accessing program is legitimate, it is alsoknown that m will only be accessed in an approved manner. For example,if m is data and not code, then it is the case that the accessingprogram will not try to execute the data.

Using a Pseudo Random String Generator

FIG. 9 illustrates an embodiment of an environment in which deviceauditing is provided. In the example shown, device 902 includes, inaddition to the components illustrated in FIG. 2, a SIM configured toserve as a proxy (906) for external verifier 904. As will be describedin more detail below, a monolith kernel stored in the instruction cacheof device 102 (where it fits in its entirety) swaps out all otherprocesses (excepting any processes it chooses to except) when it isactivated, and performs an auditing process. The monolith kernel has anassociated working space that is located in the data cache (andregisters). The cache is typically implemented using RAM, and isconsidered as being part of it herein. As used herein, “free RAM” is theportion of RAM which ought to be free after all applications—includingthe regular kernel—have been swapped out. In some embodiments, “freeRAM” is defined as the segment of RAM that is not taken up by a set ofapproved routines and data. For example, the regular kernel may be anapproved routine, as may common and whitelisted applications. Moreover,approved data may correspond to data that is known by the externalverifier, and may be of any format, as long as it is whitelisted (i.e.,believed to be safe.). In such cases, the approved programs need not beswapped out to secondary storage (as described in more detail below) butmay instead remain resident during the memory reading portion of theaudit (e.g., 1108).

In some embodiments the monolith kernel corresponds to a program F_(ε),parameterized for a known execution environment ε. As explained above,the execution environment corresponds to a hardware configuration of thedevice. Executing F_(ε) on input x produces a sequence of outputsF_(εi)(F_(ε), x), each within a time t_(i) (F_(ε), x) from the start ofthe execution and produces an ending state s(F_(ε),x). In this example,xεX, where X is the set of all legitimate inputs.

Proxy 906 is used to reduce latency variance from the device, and invarious embodiments is implemented as a tethered cellular phone, a cellphone tower, etc., instead of or in addition to a SIM. In someembodiments external verifier 904 performs an initial computation(described in more detail below) and communicates (e.g., via a securechannel), part of the information to proxy 906, using device 902 as anintermediary. Proxy 906 times computations performed by the monolithkernel and reports the timing measures back to external verifier 904. Insome embodiments, external devices, such as tethered cell phones orcomputers, base stations, or additional external verifiers are usedinstead of or in addition to proxy 906. It is also possible to usesoftware proxies that are believed to be tamper resistant, or to usespecial-purpose hardware proxies.

FIG. 10 illustrates an embodiment of a portion of a device. As mentionedabove, “free” RAM is defined as being the portion of RAM that ought tobe free after all applications and the standard kernel have been swappedout. The width of the bus is a word. The size of memory is alsodescribable in words. For example, a 512 byte memory page as shown inFIG. 10 has a size 128 words on a standard handset, where a word is 32bits. As used herein, a “chunk” is the length of the cache line. In theexample shown, the cache line corresponds to 8 words, each of which is32 bits, and the chunk is 256 bits accordingly.

FIG. 11 illustrates an embodiment of a process for performing a deviceaudit. In various embodiments, the process shown in FIG. 11 is performedby device 902. The process is configured such that its computations areexpected to complete in a particular amount of time. Any change to theamount of free RAM evaluated and any attempts to access secondarystorage 1004 will result in an observable lengthening of the amount oftime the computations take to complete. Similarly, changing the contentsof any of the whitelisted programs or associated data will cause a delayor the computation of the incorrect responses.

The process shown in FIG. 11 can be initiated in a variety of ways, suchas the ways described in conjunction with the process shown in FIG. 3.As additional examples, the audit process can be included in a shutdownor boot route. It is also possible for an application to initiate theaudit process. The application would be deactivated, the processingwould be performed, and control would be handed back to the applicationwhen complete. In some embodiments an application queries a centralauthority (or the device) for information about how recent the last scanwas performed. The SIM card can store information about when a scan wasperformed. If the SIM card has the functionality that allows it toconstantly measure time, it can give an actual time as the answer.Otherwise, it can give a time estimate based on the number of seentransactions, many of which will be known to be periodic. Suchinformation can be used to assess the duration since the last scan.

The process begins at 1102 when contents of memory 1002, except monolithkernel 1006 (and any processes it deems acceptable to retain) areswapped to secondary storage 1004. In some embodiments portion 1102 ofthe process includes swapping out the normal kernel, or parts thereof.Crucial features, such as device drivers for serial communication, arere-implemented in monolith kernel 1106. In various embodiments, thecontents are swapped out verbatim, or compact descriptions of thecontents are swapped out or stored on the proxy, external verifier, orother trusted device, or stored in RAM in a state that cannot be usedfor active code. (E.g., it is possible to store instructions in aportion of cache not intended for instructions, but only data.) In someembodiments, no “free” space exists and portion 1102 of the processshown in FIG. 11 is omitted.

At 1104, one or more hardware parameters that correspond to a hardwareconfiguration are received. This portion of the process is similar toportion 302 of the process shown in FIG. 3. Also at 1104, initializationinformation, such as a seed that can be used to generate a pseudo-randomstring, is received. Other examples of initialization informationinclude a step value and a key value, as described in more detail below.

At 1106, the free RAM is overwritten. In some embodiments the output ofa pseudorandom string generated using the seed is used to overwrite thefree RAM. One technique for overwriting the free RAM is to generate ann²-bit pseudorandom string with the particular property that thecomputation of any one of the output bits will take at least half aslong as the computation of the entire block of bits or at least 512applications of MD6 in 512 bit mode. The technique uses three phases,and repeats (with different values of aux) until the output strings fillthe entire free RAM:

1. Generating: Using a hash function h (e.g., MD6) with an output sizeof “n” bits, generate the value x_(i)=h(seed,i,aux) for 0≦i≦n−1, andsome value aux. This generates n² pseudorandom bits.

2. Shuffling: Compute y_(j)=Π_(i=0)2^(i)BIT_(j)(x_(i)), 0≦j≦n−1, whereBIT_(j) is a function that returns the j_(th) most significant bit ofthe input. This shuffles the bits in a manner that requires computationof all n hash function applications to reconstitute any one of thevalues.

3. Blending: Compute z_(j)=h(y_(j)), for 0≦j≦n−1. This assures that eachbit of the output is a function of all the n input bits, each one ofwhich required one hash function evaluation to compute.

In various embodiments, additional shuffling and blending is performedto further increase the cost of computing any part of the final string.In addition, other techniques for overwriting free RAM can be usedinstead of the example technique described in conjunction with portion1106 of the process shown in FIG. 11.

At 1108, memory 1002 (or portions thereof) is read in a mannerdetermined by the “step” value. Results are accumulated and thecomputation is keyed using a key. In various embodiments, the processingof portion 1108 is performed by a memory access scheduler and anaccumulator, each of which will now be described in more detail.

Memory Access Scheduler

Let “sRAM” be the size of RAM 1002, measured in its entirety, in chunks.External verifier 904 will select a random value step in the rangepage<step<sRAM−page, such that “step” is an odd value. Here, “page”denotes the size of one memory page in secondary storage, also measuredin chunks. In the case where there are several page sizes (e.g., ifthere are several components that constitute secondary storage), invarious embodiments the largest of the page sizes is used.

Performing the processing of 1108 includes a loop in which memory isaccessed and the results combined to form a keyed memory checksum. Foreach iteration of the loop, the access location is increased by thevalue step, modulo sRAM. Because “step” and sRAM are relatively prime,all RAM memory locations will be accessed exactly once. Further, theaccess order will be unknown to an adversary until the value “step” isdisclosed. An illustration of memory 1002 being read in accordance witha “step” is provided in FIG. 12.

In the example shown in FIG. 9, device 902 includes a single,single-core CPU. In systems such as laptop computers that includemulti-core processors and/or multiple processors, the processing of 1108can be constructed in a way that is either inherently serial (and whichwill therefore obstruct the use of multiple processors) or adapted totake advantage of multiple processors. As one example of the latter,several computations can be started with offsets such that each threadcorresponds to a different portion of memory, and where there are nocollisions.

Accumulator

Memory contents can be accumulated in a register using a simplenon-linear function that combines the previous register contents(referred to herein as a “state”) with the newly read memory contents(data), one by one. Examples of accumulating functions include hashfunctions (e.g., MD6); a non-linear shift-back register; and simplerfunctions.

On example of a simpler function is state←ROR(state+data). The latterfunction corresponds to a function ROR( . . . (ROR(state₀+data₁)+data₂). . . +data_(n)), where “+” refers to regular addition, and “ROR”rotates the contents of the register one bit to the right. In this case,the function itself may not be nonlinear, but when combined with the apriori unknown step size and the tight timing requirements, it isnonetheless sufficient to satisfy the processing requirements needed.

Is mentioned above, in various embodiments, the accumulation process iskeyed. One way to accomplish this is to offset the value “state” with anew value “key” (obtained from the external verifier or the proxy) atregular intervals. The offset can be performed by adding the currentvalue state to the new value key.

Further, while the process described in conjunction with 1108 is basedon reading memory, in some embodiments a write operation is included tocause further flash-based slowdowns. As one example, sequences of “1”sare written, as causing an erase of the entire block, should the data bestored in flash. To simplify the scheduling of where to write (and withit the monolith kernel), the location can be obtained from the proxy atthe same time a new key value is obtained.

Various other sequences of memory accesses can also be performed at1108. For example, it is possible to use two step values instead of one,where these step values may both be even numbers, but where they causemostly all of the space to be covered. It is also possible to use acollection of numbers or parameters that determine a function thatselects the sequence of locations. It is possible to think of this as amaximum-length sequence, where the outputs are locations, and themaximum-length sequence includes all values in a given range,corresponding to memory positions. It is possible to offset such valuesto avoid accessing certain areas (e.g., the monolith kernel), shouldthat be desirable. In the case of a maximum-length sequence, the keyprovided by the external verifier or proxy can be the initial state, orthe weights associated with the various cells of the LFSR.

At 1110, the keyed computation is provided to an external verifier 904.If the external verifier approves of the results, device 902 is deemedto be in a safe state.

At 1112, device 902 executes any functions that are to be executed in asafe state. Examples include setting up an SSL connection, casting avote, entering a password, scanning secondary storage formalicious/unwanted programs, etc. In various embodiments, if the code ofthe safe-state function is in secondary storage (i.e. it is not part ofthe monolith kernel), a digest of the function is compared to a valuestored in the monolith kernel (or on the proxy). The function isactivated only if the values match. In various embodiments, if the proxycan perform the message digest computation, the monolith kernel need notcontain code to do the same.

At 1114, the state of RAM 1002 is restored by loading contents (swappedout at 1102) of secondary storage 1004.

A large portion of the potential load of the process shown in FIG. 11involves swapping out applications and data from RAM to secondarystorage, and swapping it back. It is possible to avoid doing this, e.g.,in order to save time. This could be done by killing the applications.If an external verifier or other resource knows what applications arerunning, and potentially also their state or parts thereof, it ispossible for this party to assist in restarting selected applicationsafter the auditing process has run. It is possible for secondary storageor a SIM card or other on-board unit to maintain some of thisinformation. It is possible to identify applications and data not bytheir full strings, but by shorter identifiers to save space and time.It is possible to have approximate algorithms that largely re-generatethe same state after the detection algorithm has run. For example, thismay restart a browser, but fail to recover the browser contents.

Further, it is not necessary to swap out active applications if theyonly take up some portion of RAM. For example, suppose they only take upthe lower half of RAM. For each cell (number i) in free RAM, copy thecontents of that cell to a position higher up (position 2i). This ispreferably done starting from the end (higher numbered positions.) Thiseffectively slices the applications, and makes them reside only in evenpositions. Now pseudorandom values need only bet written into theodd-numbered positions, and only need to perform the nonlinearaccumulation of the odd-numbered cells. Note that it is not possible forany functional malware to remain active. It is possible for malware toexist, but only if its instructions are “jump to next open space” andthat is where the next instruction is. Since all the space that is notoverwritten by pseudorandom material will be jumps only (there is notspace for more in consecutive space), it is knowable that the malwarecannot achieve anything. It is possible to make the distance betweenslices larger, especially if the space is not predictable by anadversary. The distance may be predicted by a sequence generator, forexample, where different distances are different length. The spreadingout of data and programs within the RAM can be combined with offsettingthese with random strings. The microkernel (the program in charge of themalware detection)—would not be spread out in this manner, as it needsto remain in a state that allows it to execute.

In conjunction with FIG. 11, a description was made as to how RAM couldbe read using a step size that is not a priori known. It is alsopossible to write (free) RAM using a step size other than one, where thestep size may be unknown a priori. One effect of this is that it causeswrites to secondary storage for an attacker wishing to store informationin secondary storage. These delays are greater than read delays ifsecondary storage uses flash. It is possible to use a simple stepincrement modulo an integer corresponding to the range to bewritten—plus an offset if the monolith kernel does not reside in highaddresses. It is also possible to use no particular modulo for thearithmetic—which corresponds to using a modulo corresponding to theaddressable RAM space—and to identify whether the cell to be written isin a range that should not be written.

FIG. 13 illustrates an embodiment of an implementation of a process forselectively reading memory. In some embodiments FIG. 13 is used toimplement a portion of portion 1108 of the process shown in FIG. 11.

In some embodiments, full use of the data cache is made. Specifically,data is processed in chunks the width of the cache line, whose sizetypically ranges from 8 to 512 bytes. In the following, the parameter“α” denotes the width of the cache line, in words. The parameter“period” corresponds to the length of the timing periods. This is set tocorrespond to a time that is shorter than an optimistic roundtriplatency from device 902 to a potential external helper. The reportedvalues, and the time at which they are reported, are recorded by proxy906.

Examples of Detecting Various Evasive Programs

The following section provides examples of how evasive programsemploying the various strategies described above can be detected usingthe techniques described herein. To succeed in evading detection, anadversary has to provide the correct responses F_(εi)(x) within theexpected time t_(i)(F_(ε),x)+δ. There are various ways this can beattempted by an adversary, each of which will now be described.

Defending Against Adversarial Strategy 1—External Support.

The values “key” and “step” are communicated to the proxy over a securechannel. The value of “state” is reported for each iteration of theouter loop. The computation of this value depends on the value “key.”Therefore, it is not possible for an external device to help with thegeneration of the responses if the roundtrip latency (from sending outthe value key to receiving the result of the computation) exceeds thetime threshold t_(i)(F_(ε), x)+δ, where t_(i)(F_(ε),x) is the time forF_(ε) to generate the response.

Defending Against Adversarial Strategy 2—Using Secondary Storage.

Assume that the adversary has modified some “k” words of data in RAM,and that an image of the “intended” contents of this area is kept insecondary storage. When F_(ε) would have attempted to access one of themodified cells, F′ instead accesses the image in secondary storage.

This can be done in three ways: (a) The entire RAM can be imaged insecondary storage, and each access is made there; (b) Each memory accessof F_(ε) is replaced with a comparison of the address to a range, withselect access attempts only being rerouted to secondary storage; and (c)the Translation Lookaside Buffer (TLB) is used to automatically rerouteaccesses with selected ranges.

In the first case, each memory access will suffer the delay associatedwith accessing secondary storage instead of RAM. In the second case,only rerouted accesses suffer this delay, but for each memory access, acomparison has to be made. In the third case, there is only a delayimposed for rerouted accesses. However, due to the somewhat coarsegranularity of the TLB, there is a minimum number of cells for whichaccesses can be rerouted.

Defending Against Adversarial Strategy 3—Using Ram.

Due to the construction of the pseudorandom string that is used to fillfree RAM, computing any one cell will require the computation of atleast 512 hash function evaluations, since the value in each cell (insome embodiments) is a portion of the second-layer hash function output,whose input is a function of 512 first-level hash function evaluations.

Suppose there is a setup cost for each hash function computation, andthat this is at least 1156 clock cycles. At the same time, the hashcomputation for MD6-512—once the setup is completed—takes 155 cycles perbyte, or 9920 cycles for a 64 bit input. Both of these assume optimizedcode and for a typical 32 bit processor. The total cost per hashfunction evaluation in this setting is therefore 11076 cycles.Computation of the contents of only one cell in RAM will take at least(512+1)*11076 cycles.

Using Proxies for Timing

As mentioned above, in some embodiments an external verifier is used todistribute new seeds and to time the arrival of values from timingcheckpoints. To example models of communication between the auditeddevice and the external verifier are: (a) a physical connection; and (b)a VPN between the external verifier and a SIM card. Data down isencrypted, data up is authenticated and/or bi-directional authenticationoccurs.

When a physical connection is not used between the device and theverifier, variances in latency can frustrate the timing of thecomputation. Accordingly, in some embodiments a proxy (with less latencyvariance) is used to support the timing. One example piece of hardwarethat can be used as a proxy is a SIM card.

A proxy can be used to reduce the variance associated with the startingof the computation. This applies both to the entire computational task,and to subtasks. Both of these can be initiated by sending a key or aseed that is needed for the computation, guaranteeing that thecomputation does not start until the key or seed is received.

The SIM card receives encrypted seeds, decrypts them, and providesdevice 902 with the values. This dispensal time can be made relative toother events that are observed on the device. Consider a triplet(location,data,seed), and assume the verifier produces such triplets,and sends them in an encrypted and authenticated fashion to the SIMcard. Here, location describes a computational step (or stage) within aprogram, and data describes some state associated with this location.Assume that the computation can be anticipated by the external verifier,or that a small number of very likely computational paths can beanticipated.

This makes it possible for the external verifier to compute thesetriplets, predicting what data (or state) will be observable on thedevice at a given location (or stage). The third element of the triple,seed, denotes the value to be dispensed to the device if it reaches agiven state, associated with location and data.

The SIM card will send the “value” location to the device, unless it canbe computed or predicted by the device, or received from elsewhere. Whenthe computation has reached a stage associated with the value location(this can be a loop iteration value), the software on the device sendsthe most recently computed value of some predetermined type—or partsthereof—to the SIM card. This can be the most recently computed value,the contents of a given register, or any other appropriate value. TheSIM card compares this value to the value data associated with location,and if they are the same or equivalent, then responds with the valueseed. The device replaces its current seed value with this new value forseed. This allows the device to replace the seed at a time when it hascomputed some value that vouches for it having reached a givencomputational stage. The new seed is not disclosed before this, whichhas security benefits. Alternatively, new seeds can be disclosed as soonas a new result is reported, independently of whether this reportedvalue was correct or not; any reported value would be recorded, alongwith when it was received, allowing a verifier later to determine ifincorrect results were received, or whether there were any noteworthydelays. The reports sent by the proxy can be compressed or digested inorder to save bandwidth, as applicable.

The computation has reached a given checkpoint associated with a triple(location, data, seed) once a match is made and the associated seedvalue is dispensed.

In some embodiments the SIM card has a long vector of such triples, andselects either the first one (in the case of straight computation) inthe line, or any one that matches the input (in the case where there arebranches not foreseeable by the external verifier unit). It is possibleto leave out the value location if a predictable location is used. TheSIM card can obtain a long list of triples without it being possible forany of these to be intercepted by the handset or other parties; this ismade possible by the use of point-to-point encryption between theexternal verifier (or associated proxy) and the SIM card.

It is also possible to use a verifier-initiated event instead of thevalue data. Thus, once that event is observed by the SIM card, theassociated value seed is released, and the device computation is startedwith this value. This can be used to start the clocking. This can alsobe implemented by the device having to present a given piece of datathat may, for example, be delivered by the external verifier to thehandset in order to start the computation.

It is possible that some of the seed values are empty, in which case noseed value is sent to the device. This could be used to perform a checkas to what point of the communication the handset has reached.

The SIM card does not have to be clocked (and therefore be aware oftime), and it can operate in a hostile environment (as long as thevalues “data” are sufficiently long to preclude exhaustive search bymalicious code on the handset, with the goal of obtaining seed values ina premature manner.

The end of a computation can be identified by having a checkpoint, asabove, after which the SIM card reports the time of the computation tothe external verifier, or reports information which allows the externalverifier to compute an estimate of the time between the beginning andend of the computation. In the former case, a collection of local timevalues can be recorded by the SIM card, one for each checkpoint that isreached. This can be recorded as a list of pairs (location, time), wherethe value time can be a local time that does not need to be synchronizedwith the external verifier's notion of time. Alternatively, pairs ofreported values and the associated times can be recorded. The SIM cardcan authenticate this list and transmit it to the external verifier, whowould verify that the authentication was correct, after which it canmake a determination of how long various computational tasks took. Thiscan be used to infer the device's security posture. Alternatively, theSIM card can make this security determination and send an authenticatedresult of the determination to the external verifier.

Even without the ability to tell time, the SIM card can order events. Asit receives packets from the verifier (or any entity collaborating withthe verifier, and not with the malware), it will determine whatdevice-reported event most recently took place. This corresponds to avalue “data” that was received and verified as being correct. Thus, thevalues data can be generated by the device (given some computationaltask set up by or known by the external verifier) or can be a result ofcommunication from the external verifier.

To deal with intentionally delayed reporting to the SIM card, it ispossible to require immediate acknowledgment by the SIM card to theexternal verifier, once an event packet is received. These messages areauthenticated and/or have a format that cannot be anticipated by amalware agent. An example way to construct this by letting the value“data” above correspond to the event from the external verifier, and letthe device report the associated value “seed” to the external verifieronce it is received from the SIM card. The external verifier can thentime the arrival of this acknowledgment after a preceding packet issent. Alternatively, the device can be allowed to report valuescorresponding to “data” directly to the external verifier. This can bedone for some portion of all the checkpoints, or for additionalcheckpoints.

Assume that a packet identified by a string S was received by the SIMcard after an event E took place, but before any other event took place(and was correctly verified by the SIM card). Then, the pair (S,E) isadded to a log L. Alternatively, identifying portions of the strings Sand E are added to the log. The log is communicated to the verifier atthe end of the communication. Alternatively, ordering information iscommunicated to the external verifier.

In some embodiments, triplets (location,data,report) are added to thevector, where “report” is a value that signifies a report being sent tothe verifier. This can also be achieved using regular seed values, wherethe last seed value released is a value that the device communicates tothe verifier in order to stop the timing. The timing can also be stoppedby having the device perform some additional keyed task and report backvalues in exchange for seeds, in which case the arrival of the nextpacket with a string S would identify when the timing stopped(extrapolated from the number of cycles that apparently were computedafter the intended computation ended.)

Once the timing has ended, the SIM card encrypts (and potentiallyauthenticates) the log, and passes this to the device for transmissionto the verifier. The verifier determines whether it was correctlyauthenticated, decrypts it, and then determines from the log what thecompletion times of partial steps of the communication were, giveninformation about the transmission times of the packets containingvalues such as S. It may know the times when these were transmitted bythe base station closest to the handset, or may know when they wereprocessed by a network proxy, or by the originator of the packet itself.

In some embodiments the values S are generated by a trusted beacon andpotentially not known by the external verifier by the time it starts thecomputation on the device.

Some types of packets, like the packets containing S, need not beencrypted before they are transmitted over the network. In someembodiments they are authenticated. However, the verification by the SIMcard of whether a packet has a correct authentication need not be donebefore a preliminary log entry is compiled. If the authenticationverification fails for an already compiled log entry, this log entry canbe erased.

SIM cards are half duplexed, i.e., cannot receive and send data at sametime. SIM cards operate as slaves, i.e., will only (with some specialexceptions, such as when they are powered up) send data to the attacheddevice (our handset) after having been requested to do so. However, somesmart cards can operate independently between queries from theirassociated handsets, and not only as a reaction to being queried.

If a SIM card supports multi-threading, it is possible to let one threadperform a simple count (started when the timing starts), and to providethis counter to the other thread, which records this value each time acorrect data value is received. The counter can be stored along with thedata value, the associated location, or an index that indicates whatdata value is associated with the counter. In some situations, such asif it is guaranteed that one data value cannot be accepted more thanonce, and there is a deterministic order of values to be received, thenwe may record the counter values, and not the data values or other stateinformation.

Some SIM cards, such as typical Java Cards, only support computationafter a message is received from the SIM card interfacing device (CAD).The computation typically ends when the response from the SIM card isgenerated and transmitted to the CAD.

If a SIM card allows a counter to be increased for each clock cycle (oranother deterministic periodicity) even before messages received fromthe handset, and after responses being transmitted, then it is possibleto maintain the proper count, even without support for multi-threading.

It is possible to keep time-based state in the SIM card; it is alsopossible for the SIM card to authenticate events (including the time atwhich they took place) and export lists of such authenticated events.

FIG. 14 illustrates an embodiment of an implementation of a process fortiming a portion of a device audit. In the example shown, a modifiedJava Card is used as a proxy. The modification permits the process toremain active after responding to a request. The proxy receives a vectorof values input and output from the external verifier, and produces avector duration that is transmitted to the external verifier at thecompletion of the execution. (All the communication between the proxyand the external verifier is assumed to be authenticated and encrypted.)In the example shown, the value “∞” corresponds to an error messageindicative of an attempt of a malware agent on the client to cheat. Uponreceipt, the external verifier will determine if the values in thevector duration all fall within the tight bounds suggesting successfulcompletion, and will conclude that the client is in a safe state only ifthat holds.

Additional Ways of Using Proxies for Timing

In addition to using a SIM or similar piece of hardware as a proxy, itis also possible to use as a proxy another device that is believed to bein a secure state. It is possible to bootstrap security by first havingone device (such as a phone) be verified as being secure, and then usethat device to perform local timing and other verification tasks in theprocess of verifying the security of a second device.

The devices can be of different types. For example, one may use a SIMcard, local cell phone tower, or a local computer to assist the securityverification of a handset, on the request of an external verifier. It ispossible for this external verifier to have prepared parts of the dataused in the verification, such as the pairs of (data,seed) describedabove. It is also possible for a third party to perform thispre-computation. In various embodiments, a seed is generated by theproxy. One example is for the proxy and the device to both contain asensor such as an accelerometer or photovoltaic sensor. Both the deviceand the proxy observe the same phenomenon (e.g., by being held togetherand shaken together) and calculate a seed the manner. In this case, thedevice uses the observed seed, and the proxy sends the seed (which itindependently experienced) to the external verifier.

As soon as a first device is determined to be in a secure state, it canbe used to time or otherwise assist in the security assessment of asecond device, such as the infotainment system of a car, anotherhandset, a netbook, a laptop or desktop, or other device. This securityassessment can be of the same type (e.g., based on the time to performcomputational tasks), or it can be an alternative security assessmentmethod that is bootstrapped on the first. Likewise, the first securityassessment can be of a different type, while later security assessmentcan be bootstrapped on the first one, and may use our timing-basedapproach.

In some embodiments, a first known “safe” device is used to produce acollection of sets of seed values, to be consumed by other devices at alater point. It is possible to have such sets certified (e.g., using aPKI or by peer-based authentication of values). Further, it is possiblefor the external verifier to operate in an off-line manner if it has thesupport of an online proxy. For example, the external verifier can sendencrypted and authenticated data at a time far ahead of the auditingprocess; several such transcripts can be sent at a time. They can eitherbe sent to the proxy, where they can be kept; or they can be sent to theaudited device, or a proxy thereof, where they would be kept untilneeded. The transcripts that are generated by the proxy as a result ofthe memory-printing may also be buffered by a device and later sent tothe external verifier, whether when they are requested, or when there isan availability of a communication channel. In some embodiments allrecords are marked up with time-stamps and serial numbers before theyare authenticated and possibly encrypted.

It is possible to implement this in a network of small nodes, whereinsome of the nodes either are trusted a priori, or are assessed to besecure; after which these nodes are used to assist the securityassessment of other nodes. This is a potentially recursive approach, andcan be circular, i.e., a previous trusted device used to assess thesecurity of other devices may later on be verified by some of thesedevices, or devices assessed to be secure in other ways. The externalverifier can still be included in the environment, and may help start upthe chain of verification events, and help schedule what nodes should beverified when, and by whom.

Using Compressed Access Tables

In some embodiments the position of a memory access is determined by thecontents of a vector “location” whose contents correspond to apermutation of all cells of free RAM. This vector can take up all offree RAM, if kept there. In some embodiments it is stored in secondarystorage (such as flash), and portions are swapped in as needed. Analternative approach that maintains a pseudorandom access order, butwhich minimizes the computational effort during the main loop will nowbe described.

Consider two vectors, locationH and locationL, where both are vectors,each one containing a permutation of partial memory access positions.Here, the actual memory access position is the combination of twopartial positions, e.g., the bits of one locationH element concatenatedwith the bits of one locationL element. Here, the locationH element isassumed to contain the higher order bits and the locationL element thelower order bits. These elements can be of the same or different size,but will, when combined, be the size that addresses one memory location.If each contains all possible elements in the range, then the collectionof all combinations will correspond to a collection of all memoryaddresses. (From this, one can remove those that are not in free RAM bycomparing the combined result to a threshold, and trash the result if itfalls below this threshold.) This representation takes only the squareroot of the size of the space addressed to store. It is possible to usethree components, in which case they take the third root of the spaceaddressed. It is possible to use a large number of components as well.One example combination function is concatenation.

In some embodiments the order of access of the elements of the vectorfollows a geometric pattern that guarantees that all combinations aregoing to be used with an overwhelming likelihood. It can be beneficialnot to have several accesses of one and the same item within one vector,as this reduces the degree of unpredictability to an adversary, giventhe increased patterns in memory access. It is possible to cover onecombination more than once, although it is beneficial to limit the totalnumber of accesses to memory at the same time as guaranteeing that allaccesses are made, but for a negligible probability.

It is possible to access the locationH vector at a position x and thelocationL vector at a position y, and to access the x-y positions alongthe diagonals. Here, the first sequence can be started at position(x,y)=(0,0), after which x and y are both and simultaneously increasedby one for each iteration of the loop. When one coordinate is increasedbeyond the size of the vector, the coordinate is set to 0 again. Then,when the position again becomes (0,0), it can be to modified to start atposition (x,y)=(1,0), after which the sequence of increments is repeateduntil it comes back to (1,0), at which time it is changed to (2,0). Thisis not the location of the memory access: it is the position in thevectors that describe where to make memory accesses.

It is also possible to otherwise compress the description of what cellsto access by having a vector of locations elements, where each suchlocation only describes part of an address, and the remaining bits ofthe address are computed in another fashion, or inferred from programstate at the time of the computation. Moreover, these two approaches canbe combined, and combined with yet other related descriptions of accesslocations that are at least partially pregenerated.

Additional Information on Timing

In various computations, timing of computation, and partial computationoccurs as follows. (A) The timer is started once the auditor is providedwith all necessary values, whether from the external verifier or a proxythereof. These values typically include the value seed. (B) The timer isstopped (and the time since it was started recorded) when the auditorsubmits a correct value “state” to the external verifier or a proxythereof.

It is possible to immediately start a new time interval when an old onehas ended (where the start is signified by step A and the end issignified by step B above). It is also possible to implement “recesses”between these intervals; during these recesses, the computation may notbe timed, and the algorithm may perform routine maintenance, such ascommunicating with external parties, reading or writing to secondarystorage, or other functionality. The recess can be ended when thealgorithm requests that the next timing interval is started (e.g. stepA); one way this can be done is by signaling to the external verifier orproxy thereof to start the next interval; or it can be done by theexternal verifier or proxy thereof selecting to start the new interval.

It is also possible to implement recesses as standard timing intervals,whose length is not critical to the final determination of the securityposture of the audited device.

Pseudorandom Access

In some embodiments, the selective reading performed as part of theaudit process is accomplished through access in a pseudo-random order,with a sequence of reads and writes to the accessed positions. Analternate embodiment using pseudorandom access now be described. First,a description of an example of memory filling will be provided. Then adescription of an example of periodic timing will be provided.

Filling Fast Memory

The following memory-printing function can be used to fill free RAM. Itcan also be used to fill other types of fast memory, in the event thatsuch other types of memory are comparable with RAM in terms of accesstimes. A pseudo-random sequence is XORed in to free RAM in apseudo-random order; later, a keyed hash of the entire contents of RAMis computed. Even though RAM does not use blocks and pages, it cannonetheless be divided into “virtual” blocks and pages, corresponding tothose of flash. Consecutive chunks of flash are not accessed in a pageor block. This makes the access slow in flash, but still fast in RAM.

In order to fill free RAM with a pseudo-random string, there are twomain steps. First, a setup function is run. This determines the randomorder of memory accesses to be made by the memory-printing function,using a seed obtained from the verifier to generate pseudorandom values.The table is stored in flash, and the program space used by the setupfunction is cleared after the setup completes. Second, a memory-printingfunction is used to fill all free RAM. Its execution is timed, both frombeginning to end and in shorter intervals.

Handling Network Delays

Delays caused by infection can be measured from a device connected tothe client device by internal wiring; standard network port, such asUSB; over a wired interface; over a WiFi network; over a LAN; over theInternet; over a packet-switched network; over a communication network;or a combination of these. Some of these communication media mayintroduce delays and variance, which can be separated from themeasurement using statistical methods.

The verification is made by a device that is connected to the auditeddevice using a cable, a LAN, a WAN, Bluetooth, Wifi, the Internet,another network, or a combination of networks. The verification is madeby comparing a received result with a computed result, and to verifythat it (and the sequence before it) was received within the proper timebounds. All of these communication media may incur latencies, and somemay drop packets.

Assume for a moment that a “good” event takes 10 units of time, plusbetween 1 and 5 (for typical network variance).

Then, assume that a “bad” event takes 15 units of time, plus 1 to 5 fornetwork variance.

Consider the receipt of partial results at these times:

Sequence a: 0, 12, 25, (missing packet), 50—this sequence is likely tobe good, in spite of the missing packet, since the last partial result“vouches for” the lost packet.

Sequence b: 0, 11, 30, 35, 50—this sequence is likely to be good, inspite of the long delay between the second and third packet, since thefourth packet was received “too early”.

Sequence c: 0, 11, 30, 45, 57—this sequence is likely to be bad due tothe long delay after the second packet, and no event that explains thedelay.

Generation of a Pseudo-Random String Example 1

In some embodiments, only half as much pseudo-random material isgenerated (as before). Only in even-numbered cells of free RAM is itwritten and only in these cells will memory-printing be performed lateron. This speeds up both the generation phase and the memory-printing bya factor 2. It also avoids having to page out material in RAM, andallows the odd-numbered cells to be used to store temporary values, suchas variables needed for the execution of the memory-printing. Malwarecan exist, but can only jump (to odd cells), nothing else. If itattempts to do anything else, it will have to execute random contentstored in the even-numbered cells, which will disrupt the malwareexecution.

Example 2

(a) Obtain the seed to generate the pseudo-random string very early on,and generate this in the background . . . at any time. Call this firstpseudo-random generator PRG1. Store this string in secondary storageuntil it is needed.

(b) To perform the setup before memory-printing, receive a new seedvalue (call this seed2) and use this as input to a fast pseudo-randomgenerator. Call this second pseudo-random generator PRG2. Combine theoutput of PRG1 and PRG2 by XORing them together, writing the contents tofree RAM. (Note that this can be combined with Example #1.)

Note: It is possible to use a weak PRG2, since the final randomness willbe the combination of the two randomness sources. It can be also be onein accordance with NIST special publication 800-90. A secure blockcipher can be converted into a CSPRNG by running it in counter mode.This is done by choosing a random key and encrypting a zero, thenencrypting a 1, then encrypting a 2, etc. The counter can also bestarted at an arbitrary number other than zero. The period will be 2nfor an n-bit block cipher. The initial values (i.e., key and plaintext)must not become known to an attacker. One example of a practical PRNGincludes the Yarrow algorithm, which attempts to evaluate the entropicquality of its inputs, and an updated version, Fortuna, which does not.Yarrow is used in FreeBSD, OpenBSD and Mac OS X (also as /dev/random);the UNIX special file/dev/random, particularly the /dev/urandom variantas implemented on Linux; the function CryptGenRandom provided inMicrosoft's Cryptographic Application Programming Interface; the Pythonfunction urandom in the os module, which uses /dev/urandom on Unix-basedsystems, including OS X, and CryptGenRandom on Windows-based systems;ISAAC based on a variant of the RC4 cipher; ANSI X9.17 standard(Financial Institution Key Management (wholesale)), which has beenadopted as a FIPS standard as well. It takes as input a 64 bit randomseed s, and a TDEA (keying option 2) key bundle k. The X9.17 algorithmcan possibly be improved by using AES instead of TDEA.

In various embodiments, every second cell (dword) is scanned for theentire memory space (e.g., all of RAM). It is also possible to scanevery cell for the portion of the memory where the scanning routine (andany other supporting code) resides, and every other cell for the rest ofthe memory. Malware may try to relocate the portions that are writtenand scanned, e.g., from all even cells to all cells in the lower half ofRAM. This, however, requires mapping of each location, which willintroduce a delay each time RAM is to be accessed. Memory managementroutines that are built in will only map entire blocks, and will notperform mappings from even cells to odd cells, etc. Malware can alsoattempt to relocate portions of the RAM contents to flash or othersecondary storage. This, however, will cause delays as flash is slowerthan RAM.

If any portion of the memory is not overwritten with pseudo-random data,and later check-summed in the memory-printing routine, then this portioncan be used to store data. For example, the portion of memory that isnot taken up by the routine to scan memory can be overwritten withpseudo-random data and checksummed using every other dword or cell. Forexample, we may write and checksum only even dwords, and avoid odd ones.The odd dword locations can then be used to store programs and/or datathat were resident in the memory before the detection process started;or compressed versions of these; or other representations of these (suchas the names of programs or routines, or indications of their locationsin flash). It can also be used to store temporary variables used duringthe memory-printing routine itself. Additional details regarding thesetechniques are provided below.

Memory Printing Example 3

As with Example 1, only checksum even cells from the cells that wereread to the cache. If the location to be read is in the area where themonolith kernel resides, also accumulate the contents of the odd cellsthat were read. (That can be done after all the even cells have beenaccumulated, and it need not be done in the order they appear.)

Communication Speeds Example 4

One assumption that can be made is that the external helper isinfinitely fast, and that the roundtrip latency is 2 ms. That sets theparameters in a very pessimistic manner, which causes extra work. Hereare a few other parameter choices, for other roundtrip times. We alsohave parameter choices for a setting where the external helper is notinfinitely fast, but only twice as fast as the client computer. (This isgeneralized to related assumptions, and is used to show the dynamics.)For each entry, we describe two values (inner_loop, outer_loop), whichcorrespond to the number of iterations one has to make, using theprevious parameters as a starting point:

latency to external infinity (=no helper (ms) 2 4 8 32 connection)infinitely fast (1024, 8192) (2048, 4096) (4096, 2048) (16384, 512)(8388608, 1) helper: double-speed (2048, 4096) (4096, 2048) (16384, 512)(32768, 256) (8388608, 1) helper:

If this is combined with Example 3, each iteration of the inner loopwill become a bit faster; allowing a further increase of the number ofiterations of the inner loop for each iteration of the outer loop, andcorrespondingly, a reduction in the number of iterations of the outerloop. This reduces the number of updates of the key, and the number ofreports.

Note: It is not implausible to assume that the adversary has noconnection to an external helper. It is possible to consider twoversions of the software: one light-weight version (to be runfrequently) that assumes no connection, and one heavy-weight (to be run,e.g., only once a day) that assumes the existence of an external helper.This makes the common case faster.

Example 5

For each round of the outer loop, at least part of the state is reportedto the proxy, and at least part of the state is updated using a new key,contrasted with some embodiments in which the entire state is reportedand the entire state is updated. It is also possible to report only aportion of the state, such as 1 byte of the state (e.g., the 1 LSB). Itis also possible to offset only part of the state, such as 1 byte of thestate (e.g., the 1 MSB). Other portions are also possible. This reducesthe amount of data to be transmitted over to the proxy.

Since the state that is not reported continues to affect future states(that will be reported at least in part), one will get several checks ofthe same information, whether it is all reported or not. At the lastiteration of the outer loop, the entire state can be reported. Since itbecomes unlikely that an adversary can guess the updates even if onlyone byte is changed, and do that for each round it is involved, it isnot necessary to update all bits with new key data.

Example 6

Serial communication is slow, and other types of communication arefaster—e.g., using 3 G or WiFi. If the base station or access point actsas a proxy, that limits latency variance. One way this can be done is byadding a timer value to the packet to be transmitted to the externalverifier. It is possible to consider two versions of the detectionsoftware (apart from what was described before): one light-weightversion that uses 3 G, and one heavy-weight that uses serialcommunication.

Avoiding Large Numbers of Generations of Pseudo-Random Strings Example 7

The repeated generation of many blocks of pseudo-random strings can beavoided in a variety of ways. If strings are offset (e.g., as describedin Example 2), it is possible to use one and the same basic block (fromPRG1) and offset this over and over with different strings from PRG2.Thus, it can be reused, not only within one verification, but alsobetween verifications. It is also possible to generate a small number ofstrings using PRG1, and to combine these in different configurations fordifferent invocations. For example, one may XOR together a three of anavailable 8 such blocks, and then offset the result with the output fromPRG2. The selection of what three blocks to combine may be performed bythe external verifier.

Example 8

It is also possible for the external verifier to use a relatively smallset of such blocks (as described in Example 7)—such as 1000 all inall—for all clients. Each client would have to compute some of these anduse them for some period of time, as described above. This limits theburden of the server-side component.

Increasing the Effects of Write Delays Example 9

As explained above, basic blocks of pseudo-random strings can bepre-computed and written to RAM. If there is a malware agent present,this will incur a delay. This can be measured, just as can thememory-printing. One way to increase this delay is to write the blocksof pseudo-random data in a manner that is not sequential, but rather, ina way that cannot be anticipated by an adversary and which incursadditional delays if performed to flash memory (assuming the same memorymapping). For example, portions of data can be written, such as portionsof the size of the cache line width, single words, or other sizes, andthen a new location for the next write is selected. This new locationcan be selected by increasing the current location with a step (such asfor the memory-printing), where this value step was received from theexternal verifier. This does not have to be the same value step as usedfor the memory printing. This incurs extra delays when flash isinvolved, as it would be for many typical scenarios where a malwareagent attempts to survive and avoid detection. By making this change, wemake it easier to detect cheating attempts in which the malware agentreads from flash.

Increasing the Effects of Recomputation Attacks Example 10

In order to increase the impact of recomputation attacks (where theadversary attempts to compute the contents of a given cell in memory),it is possible to use blocks, such as those generated by PRG1, where alarger number of hash function computations need to be performed inorder to determine the contents of a given cell. This can be achieved bycombining several blocks (as described in Example 7), and by making eachsuch basic block dependent on more values or require more one-wayfunction computations to be performed. It is also possible to use othertypes of functions, and not one-way functions. By making this change, wemake it easier to detect cheating attempts in which the malware agentcomputes the wanted contents of a given cell.

Screening and Identifying Content:

Example 11

Once the memory-printing routine has completed, and an external verifierhas concluded that the target device (on which the memory-printingroutine ran) does not have any active malware, then varioussecurity-sensitive routines can be run. Examples of these are asfollows:

-   -   (a) Scans of secondary storage to detect inactive malware.    -   (b) Scans of secondary storage to detect unwanted programs,        where a program may be considered unwanted if it is against a        verifying organization's policy (e.g., is pirated, has not been        approved for use in the context, and/or is not allowed under the        terms of service of the user).    -   (c) Scans of secondary storage to detect unwanted data, where        data may be unwanted if it breaks a verifying organization's        policy, (e.g., is pirated, is illegal, and/or has been agreed by        the user of the target device not to be stored or used on the        target device). A variety of types of data can be identified,        including text, audio data, and video data.    -   (d) Synchronization of updates with an external server, or of        updates belonging to certain categories. (For example, only        emails and not photos, or all user-generated content, or all        content.)    -   (e) Decryption of data, including where data may be used for        authentication.    -   (f) Display of audio-visual material (e.g., that must not be        accessed outside the secure mode).    -   (g) Access to sensitive resources, whether on the device or        external sources. Examples include access to a voting program        (e.g., in which the user casts a vote), access to a password        store, access to a banking application, and access to a banking        transaction (e.g., a transfer) within a banking or other        application.

Using the detection of “unwanted data” as an example, suppose a list ofsignatures of content purchased by the user is received from an externalserver. Content on the device can be compared to these signatures todetermine if any content has not been purchased (i.e., is not matched toa signature) is present on the device. Such unmatched content can thenbe screened to detect if it is content that should have been purchasedin order to be used on the device. If there is such a match, an externalservice provider can be alerted, the content can be erased or otherwisemade not accessible, and/or the user can be notified. As anotherexample, if the content is out of date (i.e., is a first version), thecontent can be automatically updated (i.e., to a second version).

One technique for matching unmatched content (e.g., to a list ofdescriptions of data that ought to be licensed) is as follows. Suppose atext signature of a copyrighted book is created using a 50 word segmentof the book. Any text that matches this text signature fully or to athreshold extent can be considered to “match” the book. Fuzzy matchingtechniques can be used such that removing or changing a small number ofwords will not affect the match. In some embodiments, multiplesignatures are created for the book (or other content file), such as bycreating three different 50 word segments. An attacker (in this case,potentially the owner/user of the device) would not know whichsignatures the device would receive (e.g., from the external service) toperform comparisons with, so he would not know which portions of thefile to mutilate in an attempt to avoid detection.

One way to evaluate audio data is through the use of signatures that arefrequency-spectrum graphs of selected portions of the file, or othercharacterizations of the data. This makes it possible to (a) whitelistapproved content that has been acquired in an approved manner; and (b)screen the remaining content and distinguish user-generated or otherwiseapproved content from unwanted content, content that has not beenacquired in the proper way, or which otherwise break the terms ofservice. It is possible to report on the presence of various data filesbased on the matches. This can be used for auditing purposes; todiscourage piracy; and to make synchronization of devices faster. Forexample, instead of synchronizing an entire movie, book, application, orsong, it is possible to instead notify a backup server of the existenceof one of these files based on the match with the signature, after whichno further data needs to be transmitted. In situations where data is notlikely to be modified or corrupted, it is also possible to use the hashof the file or another unique function of the file as a tag that iscommunicated; however, where files may be intentionally or accidentallymodified or where a large number of possible variants may exist, in someembodiments the file is identified using a signature, which could allowfor fuzzy matching, e.g., by comparing for a large but not completecorrespondence.

FIG. 15 illustrates an embodiment of a process for performing a deviceaudit. In various embodiments, the process shown in FIG. 15 is performedby device 102. Portions 1502, 1504, and 1506 correspond to portions 302,304, and 306, respectively, of the process shown in FIG. 3. As explainedabove, once an external verifier has concluded that the target devicedoes not have any active malware, a variety of security-sensitiveroutines can be run (1508).

Suppose a user has an electronic book application installed on device102 and has purchased several books. A friend of the user has providedthe user with a pirated copy of a book (for which the user has notpaid), either in the same format as other electronic books stored ondevice 102, or in an alternate format. As one example of the processingthat can be performed at 1508, device 102 is scanned for the presence ofcopyrighted text based on fingerprint information received from theverifier. Specifically, after receiving as instructions: “search for anoccurrence of ‘hello neighbor,’ then count the number of nouns thatoccur in the next 50 words,” a scan according to those instructions isperformed at 1508.

More sophisticated scanning techniques can also be used, such as bylocating within a text an occurrence of three particular verbs within aparticular distance of one another, then counting the number of wordslonger than four characters and the number of prepositions. Otherexamples of processing that can be performed at 1508 include performingfrequency analysis scans of audio/visual files on the device. At 1510,an action is performed based at least in part on the scan performed at1508. Using the “hello neighbor” example, at 1510, if the scan resultsin a determination of the presence on device 102 of a copyrighted workfor which payment has not been received from the owner of device 102,the copyrighted work is deleted. Other actions can also be taken at1510. For example, instead of deleting the implicated text, the user canbe presented with a “nag” screen each time the user accesses the text(or the electronic book application) reminding the user to pay for thetext.

Additional Information Regarding Interleaving Techniques

In some embodiments every other cell in RAM is filled with apseudorandom sequence and then the integrity of those cells is verified.In this scenario, at least half of RAM needs to be free (i.e., availablefor overwriting). One approach is to temporarily move enough content tosecondary storage before performing the process. Another approach is toincorporate known parts of RAM as part (or all) of the pseudorandomsequence. This approach will be described in the following paragraphsand a portion of an embodiment of the process is illustrated in FIG. 16.In various embodiments the process shown in FIG. 16 is performed bydevice 102.

In this approach the pseudorandom sequence is augmented with portions ofthe contents of RAM that is also known to verifier 106. RAM content mayinclude any combination of the following: static and dynamic executablecode and data in the kernel, system applications, user downloadableapplications, state information for the applications, and user data(e.g., photographs). Static RAM content (both executable code and datathat is known to the external verifier) can be used by the algorithm anddoes not need to be backed up as it can be restored by reversing theprocess of the memory printing. The content can be used instead ofpseudo-random content, or it can be combined with it in a reversiblemanner, e.g., by XORing RAM content with a pseudo-random string, or withanother sequence intended to sufficiently randomize it. One may useseveral portions of RAM content and combine them with each other in somemanner that is reversible, and where the results are hard to anticipateby an adversary. It is possible to make the contents of particular cellshard to anticipate even if they have known content simply by making thelocations of the known material hard to anticipate, as demonstratedbefore using the reading of material according to a sequence determinedby a step value.

A list of all running processes is obtained through the host OS (1602)and a list of hashes (or other tags or descriptions) is obtained fromverifier 106 (1604). A list of usable segments is initialized (1606).For each process in the list of processes (1608): static segments areidentified (1610). A hash of the identified segment(s) is calculated(1612) and compared with a list obtained from verifier 106 to see if theprocess is known (1614). If it is known, the segment is classed asusable (since verifier 106 can recreate the same RAM image in itsmemory) (1616). The usable segments are sorted according to the hash ofeach segment (1618), or in another manner that results in a predictableordering given known content. This is done to avoid the need ofcommunicating the exact locations of each segment from device 102 toverifier 106. Alternatively, location information can be communicated.This location information can be a short description indicating howsorted or otherwise ordered content is located, or longer descriptionsindicating where each portion is located.

The segments are rearranged in physical RAM of client 102 and mayinclude conversion from a virtual address space. The usable segments areplaced in one half of physical RAM and unusable segments (unknown toverifier 106) are placed in the other half. In some embodiments, ifthere are too many unusable segments to fit in half of RAM theovershooting part is backed up or ignored, as applicable. A priority canalso be applied to the unusable segments, such that state informationand user data is given a higher priority over user applications whendetermining which portions of the unusable segments to backup and whichwill remain in RAM. If there are too many usable segments to fit in halfof RAM the overshooting part may be stored in the half reserved forunusable segments, or may be ignored. The two halves of RAM are theninterleaved so that contents of one half are placed at even RAM cellsand the other half on odd RAM cells. As used herein, a “cell” is thenative word size of the CPU or other appropriate unit.

In some embodiments cells containing the usable segments are perturbedby a pseudorandom sequence (e.g., seeded by verifier 106). This can bedone either before or after interleaving the two RAM halves. Protectionfrom malware can also be achieved without perturbing the usable segmentswith a pseudorandom sequence. For example, the cells containing thepseudo random sequence can be internally shuffled (and optionallyrepeated to fit the entire half of RAM). In this scenario, externalverifier 106 determines the type of shuffling to be employed. Oneexample is to use a “card shuffling” algorithm, such as the Fisher-Yatesshuffle, with a random number generator that is seeded by the verifier.If not the entire half of RAM dedicated to usable segments is filled,the remainder can be initially filled with a pseudorandom sequence, orit can alternatively be topped up with copies of the usable segments.

Additional examples are as follows: Each of the dwords of the materialcan be rotated one bit left, XORed with a constant, or XORed with avalue from a function. The constant and/or function is in someembodiments provided by verifier 106. For example, verifier 106 can senda value OFFSET=120, and each dword of the material is XORed with 120before being written. A sequence of dwords of the material can also beXORed or otherwise manipulated using a sequence of values, such asvalues generated from a pseudorandom generator or approximation thereof,where the seed is provided by verifier 106, or provided by some othertrusted source that also provides it to the verifier. The de-obfuscationprocess after the memory-printing process would undo these offsets byrotating one bit right, XORing in the same constant or sequence, or moregenerally, reversing the obfuscation operations.

The obfuscation process can also involve writing a sequence of materialdwords in a manner that is not predictable a priori to an attacker,e.g., using a step value or a function that defines the order. Thiscould be the same or another step value than used for the read order,and could be an independently chosen value. In the case where the writeorder is used as an obfuscation process, the de-obfuscation processwould read back to continuous blocks matching the state before theobfuscation.

These types of obfuscation can be combined, and can be used along withyet other obfuscation techniques. In addition, the interleavingtechniques described herein can be used in which some portions of memoryis skipped when performing the obfuscation/deobfuscation and also whenthe memory-printing process is performed.

FIGS. 17A-17D illustrate conceptual views of a physical memory. FIG. 17Aillustrates the contents of the physical memory at the outset of theprocess shown in FIG. 16. Specifically, portion 1702 of the memoryrepresents a microkernel (e.g., auditor 506), and the remainder of thephysical memory (1704) has not yet been classified. In FIG. 17B, thevarious types of RAM contents are identified. Specifically, the whiteportions (e.g., 1706) indicate unallocated space which is zeroed out.The horizontally striped portions (e.g., 1708) indicate usable segmentsand the vertically striped portions (e.g., 1710) indicate unusablesegments. In FIG. 17C, the respective types of contents are groupedtogether. In FIG. 17D, the usable and unusable segments are interleaved(1712). There are more usable than unusable segments, as indicated inregion 1714. Once the physical memory is in a state such as is shown inFIG. 17D, additional processing can be performed, such as is describedin more detail below.

An alternate view of a portion of the memory shown in FIG. 17D ispresented in FIG. 18. In the example shown, each of the odd numbereddwords (e.g., empty box 1802) is used to hold “unusable” segments, whileeach of the even numbered dwords (e.g., checked box 1804) is used tohold “usable” segments.

FIG. 19 illustrates an embodiment of a process for performing a deviceaudit. In some embodiments the process shown in FIG. 19 is performed bydevice 102. The process begins at 1902 when contents of a physicalmemory are classified. As one example, at 1902, the contents of memory204 are classified by auditor 506. One way of classifying the contentsof memory 204 is into “usable” and “unusable” segments, as describedabove. The classification can be further refined, such as by subdividingthe “unusable” contents into buckets based on factors such as whetherthe contents are stored elsewhere (e.g., in memory 206), whether thecontents are applications, state information, or user data, etc.

At 1904, a determination is made as to whether (and if so, where) torelocate contents of memory 204 based on the classification determinedat 1902. For example, applications (and/or the kernel) appearing on awhitelist (e.g., for which hashes have been received from verifier 106)are designated for use by the memory printing routine, and mayultimately be copied into even dwords such as even dword 1804(potentially after being obfuscated or otherwise transformed). Itemsthat will not appear on such a whitelist (and are thus “unusable”)include certain applications (e.g., user compiled) and data/stateinformation. A copy of the applications will exist elsewhere, such as inmemory 206. In the case of data/state information, copies may or may notexist elsewhere. Further, of the data/state information that is presentonly in memory 204, some may be needed or desired by the user to beretained (e.g., a photograph), while some may not (e.g., the state of aphone application). As explained above, if there are too many unusablesegments to fit in half of the RAM (e.g., the odd dwords), theovershooting part can be backed up or ignored, as applicable.Preferences for/prioritization of whether to include a given unusablesegment in the half of RAM, to back it up, or to ignore it isconfigurable. For example, in the event there are too many unusablesegments, data/state information that is present only in RAM can bedesignated as material that is to stay in RAM (i.e., be moved into theodd dwords), while unusable applications can be ignored (e.g., becausethe information is already stored in memory 206). As another example,instead of preserving an application in RAM, a determination can be madeat 1804 to record the name of the application (or other reference to theapplication) either in a portion of RAM (i.e., odd dwords) or in memory206. In another embodiment, usable applications are stored in both evenand odd cells, where the even cells are XORed with an obfuscating stringas well. In yet another embodiment, usable applications are stored inboth even and odd cells, with all of these being XORed with anobfuscating string. In addition, location information is communicated toa verifier, or a particular order is imposed on portions of the materialstored in RAM. This is done both to allow the external verifier toreconstruct the RAM memory contents later to be accumulated, and toallow the device to reconstuct the applications and their state from thematerial stored in even and odd cells.

At 1906, a negotiation of what material will be used for writing theeven cells is made between verifier 106 and device 102. The negotiationcan take many forms. For example, at 1906, device 102 may provideverifier 106 with a list of applications and verifier 106 may instructdevice 102 to use particular applications (in a particular order) and/orthe device kernel to overwrite the even dwords. As another example,verifier 106 may instruct device 102 to use certain system applicationsthat are known to be preinstalled on device 102, without polling device102. As yet another example, verifier 106 may instruct device 102 to useparticular applications as combined with a pseudorandom string (seededby verifier 106). In some embodiments the seed is provided by verifier106 only after a determination of which other material (e.g., usablesegments) will be used for writing has been made. For example, device102 could provide to verifier 106 an identification of its usablesegments (e.g., by name or by hash value) and if the usable segments areacceptable to verifier 106, verifier 106 responds with a seed. In someembodiments (e.g., if device 102 does not include any usable segments),verifier 106 instructs device 102 to use a pseudorandom string, only, towrite the even dwords, and does not use the “usable” segments describedabove.

At 1908, a step value is received from verifier 106. In some embodimentsthe processing of 1906 and 1908 are combined and/or portions are omittedas applicable.

At 1910, the physical memory is written in accordance with thedetermination(s) made at 1904 and the negotiation made at 1906. Forexample, at 1910, any unusable segments that will overflow half of theRAM are copied to memory 206 as applicable. As explained above, in somecases, rather than writing information such as an entire application, areference to the application (such as its name or location) is insteadwritten. By doing so, instead of requiring a full write to andsubsequent read from secondary memory for a given application, only asmall write (and the full read) will be required to restore theapplication after the process shown in FIG. 19 completes, achieving aconsiderable speed improvement. Other examples of writing that occur at1910 include writing the material negotiated at 1906 to the even dwords(including both static segments and including any pseudorandom datagenerated from a seed) and writing the odd dwords with the unusablesegments that do not overflow.

At 1912, physical memory 204 is selectively read. In some embodiments,portion 1108 of the process shown in FIG. 11 is performed at 1912.Either all of memory 204 or a portion of memory 204 may be read at 1912.For example, instead of reading all of memory 204 (or everything but themicrokernel), in some embodiments only the even dwords are read (e.g.,in accordance with the step value received at 1908). The accumulation ofcontent that is read can be made using a variety of methods. One thatalready has been mentioned is to use a so-called accumulator, which is atype of cryptographic function that does not have particular homomorphicproperties. In another embodiment, a so-called cryptographic hashfunction is used to combine the content that is read, In yet anotherembodiment, a combining function is used, for which it is difficult toanticipate the result without knowledge of the input material (thecontent that is read), and for which it is difficult to createalternative memory contents in very short time, for which the expectedfunction output value is computed, but where the alternative memorycontents allow hiding of unwanted instructions or data. At 1914, theresults of the computation performed at 1912 is proved to an externalverifier. In some embodiments portion 1110 of the process shown in FIG.11 is performed at 1914. The writing to and reading from RAM is usedabove as an example. Other types of memory can also be used inaccordance with the techniques described herein instead of or inaddition to RAM.

After the process shown in FIG. 19 completes, physical memory 204 can bereturned to the state it was in prior to the process of FIG. 19 beingperformed. For example, any applications that were previously loaded inRAM can be reloaded. Other actions can also be performed upon completionof the process shown in FIG. 19 such as a reboot of the device. Afterthe verification has completed, the original state of RAM isconstructed, or desirable portions of this original state. This can beperformed in phases, with selected programs, applications or routinesbeing executed between such phases. For example, in one embodiment, thebrowser and portions of its state may be reconstituted in a first phase,after which a particular webpage is accessed. After this access hascompleted, a second phase is performed, where this second phase mayconsist of reconstituting additional applications and their state. Thisreconstitution process reads back selected portions of code and datainto portions of RAM where it can execute. In addition, appropriatecontents of the stack and other state is reconstituted in order to allowexecution to continue where it left off, where desirable. In the casewhere RAM contents are stored in RAM in a manner that does not allow forexecution, e.g., with data spread out in odd cells, and instructionsstored in even cells.

Two example ways in which the process can be unwound are: (1) bybacktracking the steps of the process back-to-front, and (2) by usinganother front-to-back process producing the same results. The firstalternative requires the pseudorandom sequence generator(s) to be ableto run in reverse to undo data shuffles and (possible) XOR perturbs. Thesecond alternative requires finding the inverse algorithm for datashuffling and XOR perturbing.

The first approach is suitable if a shuffling algorithm such asFisher-Yates has been used. Pseudorandom numbers in a diminishing rangeare generated to identify the cells with which to swap contents. SeeFIG. 20. An extended version which also perturbs data is illustrated inFIG. 21. Note that the exact order of the blocks in the flow charts candeviate and still produce equivalent results. The processes can beunwound or reversed by following the corresponding flow charts in FIG.22 and FIG. 23 (with simple shuffling and shuffling with dataperturbation) respectively. The steps are essentially reversed and relyon a pseudorandom sequence generator that can be put in reverse, such asa linear feedback shift register. In the example shown in FIGS. 20-23,index 1 is used for the first cell.

The second approach can be used with a traversal of the cells using astep size that is relatively prime to the number of cells. This isillustrated in FIG. 24. Note that index 0 is used to identify the firstcell in FIG. 24. Back-tracking this algorithm requires running the samealgorithm again with the same step value. XOR-perturbing the cells usinga pseudorandom sequence can further augment the second approach. This isillustrated in FIG. 25 where two pseudorandom values are XORed onto thecells after they are swapped. The algorithm needs to be slightly changedto reverse the process, as can be seen in FIG. 26 where the XORs areplaced before the swap rather than after. Note that the two algorithmscan be swapped, i.e. using FIG. 26 for scrambling and FIG. 25 fordescrambling.

Although the foregoing embodiments have been described in some detailfor purposes of clarity of understanding, the invention is not limitedto the details provided. There are many alternative ways of implementingthe invention. The disclosed embodiments are illustrative and notrestrictive.

What is claimed is:
 1. A system, comprising: a physical memory; and oneor more processors configured to: receive one or more hardwareparameters that correspond to a hardware configuration and receive, froma first unit, initialization information, wherein the initializationinformation includes one or more values provided by a second unit;selectively write to a set of cells of the physical memory in accordancewith a function; selectively read the physical memory and determine atleast one result; and provide the result to the first unit, wherein thefirst unit is configured to generate a timing measure associated withthe result, and wherein the first unit is further configured to providethe result and the timing measure to a third unit; wherein the thirdunit is configured to generate a security determination based at leastin part on the result and the timing measure.
 2. The system of claim 1wherein the set of cells consists of even numbered dwords.
 3. The systemof claim 1 wherein the one or more processors are further configured toclassify the contents of at least a portion of the physical memory. 4.The system of claim 3 wherein the one or more processors are configuredto classify the contents at least in part by determining whether asegment is static or dynamic.
 5. The system of claim 1 wherein the oneor more processors are configured to selectively write the set of cellsbased on instructions provided by the second unit.
 6. The system ofclaim 5 wherein the instructions include an identifier of at least oneapplication the static portion of which is to be used in the selectivewriting.
 7. The system of claim 1 wherein the one or more processors areconfigured to selectively write at least in part by writing anexecutable portion of a kernel to a subset of the cells of the physicalmemory in accordance with the function.
 8. The system of claim 1 whereinthe one or more processors are configured to selectively write at leastin part by writing an executable portion of a known-to-the second unitapplication to a subset of the cells of the physical memory inaccordance with the function.
 9. The system of claim 8 wherein the oneor more processors are configured to send the name of the application tothe second unit.
 10. The system of claim 8 wherein the one or moreprocessors are configured to receive at least one of a hash and adescription of the application from the second unit.
 11. The system ofclaim 1 wherein the one or more processors are further configured todetermine whether to copy contents of a portion of the physical memoryto a secondary memory.
 12. The system of claim 1 wherein the one or moreprocessors are further configured to determine whether to write anidentifier associated with an application resident in the physicalmemory.
 13. The system of claim 1 wherein the one or more processors arefurther configured to determine whether to write state informationassociated with an application resident in the physical memory.
 14. Thesystem of claim 1 wherein the one or more processors are configured toselectively read the physical memory based at least in part on a stepvalue.
 15. The system of claim 1 wherein the one or more processors areconfigured to determine the result at least in part by using anaccumulator.
 16. The system of claim 1 wherein the one or moreprocessors are configured to read only one half or fewer of the cells ofthe physical memory.
 17. The system of claim 1 wherein the one or morevalues includes a cryptographic value.
 18. The system of claim 17wherein the cryptographic value comprises a cryptographic seed value fora pseudorandom number generator.
 19. The system of claim 17 wherein thecryptographic value comprises a cryptographic key value.
 20. The systemof claim 17, wherein the function is based at least in part on the oneor more cryptographic values.
 21. The system of claim 1 wherein thefirst unit comprises a proxy.
 22. The system of claim 21, wherein thefirst unit comprises a subscriber identity module configured to serve asthe proxy.
 23. The system of claim 21 wherein the proxy comprises asoftware proxy.
 24. The system of claim 23, wherein the step value isincluded in the initialization information.
 25. The system of claim 1,wherein the second unit and a device associated with the physical memoryare collocated.
 26. The system of claim 1, wherein the second unit isexternal to a device associated with the physical memory.
 27. The systemof claim 1 wherein the second and third units comprise respective firstand second verifiers.
 28. The system of claim 27 wherein the first andsecond verifier are the same.
 29. The system of claim 27 wherein thefirst and second verifier are different.
 30. The system of claim 1wherein the one or more processors are further configured to receive agrant of access to a resource that is based at least in part on thesecurity determination.
 31. The system of claim 30 wherein grant ofaccess permits decryption of information.
 32. The system of claim 30wherein the resource is associated with a network entity.
 33. The systemof claim 1, wherein the security determination is associated withdetection of at least one of malware, jailbreaking, pirated content, andmodification of software included in the physical memory from anexpected configuration.
 34. A method, comprising: receiving one or morehardware parameters that correspond to a hardware configuration andreceiving, from a first unit, initialization information, wherein theinitialization information includes a value provided by a second unit;selectively writing, using one or more processors, to a set of cells ofthe physical memory in accordance with a function; selectively reading aphysical memory and determining at least one result; and providing theresult to the first unit, wherein the first unit is configured togenerate a timing measure associated with the result, and wherein thefirst unit is further configured to provide the result and the timingmeasure to a third unit; wherein the third unit is configured togenerate a security determination based at least in part on the resultand the timing measure.
 35. A system, comprising: a physical memory; andone or more processors configured to: receive one or more hardwareparameters that correspond to a hardware configuration and receive, froma first unit, initialization information, wherein the initializationinformation includes a value provided by a second unit; perform asequence of modifications to the physical memory; provide results to thefirst unit, wherein the first unit is configured to generate a timingmeasure associated with the result, and wherein the first unit isfurther configured to provide the result and the timing measure to athird unit, wherein the third unit is configured to generate a securitydetermination based at least in part on the result and the timingmeasure; and perform a scan once it is determined that no evasivesoftware is active in the physical memory; wherein the scan is performedbased at least in part on one or more criteria received from at leastone of the second unit and the third unit.
 36. The system of claim 35wherein the one or more processors are further configured to perform anaction based at least in part on a result of the scan.